Welcome to Skyscanner's public Bug Bounty program
Keeping traveller's information safe and secure is a top priority and a core company value for us at Skyscanner. We welcome the contribution of external security researchers and look forward to rewarding them for their invaluable contribution to the security of all Skyscanner travellers.
For the past few years, we've run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep our travellers safe when using Skyscanner.
We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.
We encourage thorough proof-of-concept/replication of the bug, including videos, images, and a description of the business impact. These will all factor into our bounty decision-making process.
To promote the discovery and reporting of vulnerabilities, we ask that you:
- share the security issue with us in detail
- understand that all valid reports will be taken seriously by our engineering teams
- act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service)
- comply with all applicable laws
We will only reward the first report of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.
We will not negotiate in response to duress or threats (e.g. we will not negotiate the payout amount under threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public).
We expect researchers to follow the program rules:
- add the following header to all HTTP requests:
- use your
firstname.lastname@example.org address for accounts
- not access or modify our, or our travellers' data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
- contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
- perform testing and research only within the areas that are in scope
- follow the Bugcrowd Coordinated Disclosure rules
In addition, we count the following activities as strictly prohibited, and thus not rewardable. These are in addition to the Bugcrowd Vulnerability Rating Taxonomy:
- Social Engineering attacks
- Use of automated vulnerability / scanning tools
- Please do not spam forms or account creation flows using automated scanners
- We have a number of rate limits in place that may result in your IP address being blocked if you use such tools
- Any testing of corporate email (
We are under no obligation to payout for any bugs that are not submitted in accordance with this policy or any of the Bugcrowd policies. We reserve the right to withdraw this scheme at any time and shall have no obligation to payout for any bugs submitted after closure of the scheme. We reserve the right to deduct a 10% penalty on valid and accepted submissions that do not follow the guidelines mentioned above. Following the guidelines will help us triage the vulnerability more effectively from our side, which should result in faster processing of the submission.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
We will award higher bounties for all valid submissions contained in our Focus Areas.
- Vulnerabilities found in multiple fields in the same form or using the same CSRF token will be counted as a single vulnerability. Subsequent submissions will be marked as
Not Applicable. Please detail all affected fields in a single submission.
- Vulnerabilities that can be exploited with similar payloads on the same path are only eligible for a single reward. Subsequent submissions will be marked
Not Applicable. Once we have implemented a fix we may ask you to re-test the vulnerability with similar payloads. We very much appreciate the work of the security community as we strive to provide our customers with the very safest products.
Out of scope
Below is a summary of all the targets we will consider submissions for. Please read this section thoroughly for more information on each target, as well as our main Focus Areas.
- Vulnerabilities found in any other regional domain with the same codebase (such as
skyscanner.fr/*) will be considered the same vulnerability
- Please note that subdomains (
*.skyscanner.net/*) are Out of Scope unless otherwise specified
- Vulnerabilities found in any other regional domain with the same codebase (such as
Skyscanner API Gateway
Skyscanner iOS and Android Apps
- Skyscanner iOS App can be downloaded from the Apple App Store
- Skyscanner Android App can be downloaded from the Google Play Store
- Application code in the APK and any data it creates and saves on the device
- Features or code provided by separate web services will be in scope of the service itself, not the app
Third Party Tools
Vulnerabilities found in third party products are unlikely to be rewarded unless they are unique to our configuration or present a serious business risk (at our discretion).
- Auth0 endpoints should be used only to:
- Test authentication and session management flows
- Manually verify potential vulnerabilities like XSS / Open Redirects
- Out of Scope:
- Large scale account enumeration or brute force that might lead the lock-out of a real user's account
- Auth0 endpoints
- Anything relating to the Direct Booking flow of the Flights product will be considered as a 'Focus Area'
The Direct Booking flow cannot be reached directly through the above URL. Instead, follow these steps for web and mobile:
- To find a route with Direct Booking options, search for
London Heathrow (LHR).
- Select a date approximately 3 months in advance.
- Under the
Airlinesfilter, uncheck every option besides
- On the web, press
Selecton any flight. On mobile, tap on the flight, then press
- Click a pink 'Book' button on any available partner to begin the Direct Booking flow.
- Only a limited account will be accessible
- Create an account at https://partnerportal.skyscanner.net
- This will create a standard account that will not provide you access to any information. Other account types are Out of Scope.
- We are interested in testing for:
- Authentication / authorisation controls including access to other partners' data
- Input validation
- Remote code execution vulnerabilities
Out of Scope
The following issues are outside the scope of our rewards program:
- Our policies on presence/absence of SPF/DMARC records.
- Password, email and account policies, such as email id verification, reset link expiration, password complexity.
- Attacks requiring physical access to a user's device.
- Host header injections unless you can show how they can lead to stealing user data.
- Reports of spam (i.e., any report involving ability to send emails without rate limits).
- Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
- Vulnerabilities affecting users of outdated browsers or platforms.
- Social engineering of Skyscanner employees or contractors.
- Any physical attempts against Skyscanner property or data centers.
- Any report that discusses how you can learn whether a given username, email address has a Skyscanner account.
- Any access to data where the targeted user needs to be operating a rooted mobile device.
- Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
- Ability to share links without verifying email.
- Absence of rate limiting, unless related to authentication.
- IP/Port Scanning via Skyscanner services unless you are able to hit private IPs or Skyscanner servers.
- Devices (iOS, Android, desktop apps) not getting unlinked on password change.
- Phishing risk via unicode/punycode or RTLO issues.