• $100 – $4,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

61 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$250 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Welcome to Skyscanner's public Bug Bounty program

Keeping traveller's information safe and secure is a top priority and a core company value for us at Skyscanner. We welcome the contribution of external security researchers and look forward to rewarding them for their invaluable contribution to the security of all Skyscanner travellers.

For the past few years, we've run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep our travellers safe when using Skyscanner.

We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.


We encourage thorough proof-of-concept/replication of the bug, including videos, images, and a description of the business impact. These will all factor into our bounty decision-making process.

To promote the discovery and reporting of vulnerabilities, we ask that you:

  • share the security issue with us in detail
  • understand that all valid reports will be taken seriously by our engineering teams
  • act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service)
  • comply with all applicable laws

We will only reward the first report of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.

We will not negotiate in response to duress or threats (e.g. we will not negotiate the payout amount under threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public).


We expect researchers to follow the program rules:

Researchers must:

  • add the following header to all HTTP requests: Skyscanner-Security: Bugcrowd
  • use your email address for accounts
  • not access or modify our, or our travellers' data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
  • contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
  • perform testing and research only within the areas that are in scope
  • follow the Bugcrowd Coordinated Disclosure rules

In addition, we count the following activities as strictly prohibited, and thus not rewardable. These are in addition to the Bugcrowd Vulnerability Rating Taxonomy:

  • Social Engineering attacks
  • DDoS
  • Use of automated vulnerability / scanning tools
    • Please do not spam forms or account creation flows using automated scanners
    • We have a number of rate limits in place that may result in your IP address being blocked if you use such tools
  • Any testing of corporate email (*

We are under no obligation to payout for any bugs that are not submitted in accordance with this policy or any of the Bugcrowd policies. We reserve the right to withdraw this scheme at any time and shall have no obligation to payout for any bugs submitted after closure of the scheme. We reserve the right to deduct a 10% penalty on valid and accepted submissions that do not follow the guidelines mentioned above. Following the guidelines will help us triage the vulnerability more effectively from our side, which should result in faster processing of the submission.

Rating/Reward Information:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, please note that in some cases, priority will be altered due to the likelihood or impact of an exploit. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We will award higher bounties for all valid submissions contained in our Focus Areas.

*The highest rewards will be reserved for submissions deemed to have high business criticality.

Priority Reward range
P1 $2,000 – $4,000*
P2 $900 – $1,500*
P3 $300 – $400
P4 $100 – $150


  • Vulnerabilities found in multiple fields in the same form or using the same CSRF token will be counted as a single vulnerability. Subsequent submissions will be marked as Not Applicable. Please detail all affected fields in a single submission.
  • Vulnerabilities that can be exploited with similar payloads on the same path are only eligible for a single reward. Subsequent submissions will be marked Not Applicable. Once we have implemented a fix we may ask you to re-test the vulnerability with similar payloads. We very much appreciate the work of the security community as we strive to provide our customers with the very safest products.

Safe Harbor compliance

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.


In scope

Target name Type* Website* API
Skyscanner iOS App iOS
Skyscanner Android App Android* Website* Website

Out of scope

Target name Type
Corporate Email (* Other
Subdomains (**) Website

Target info:

Below is a summary of all the targets we will consider submissions for. Please read this section thoroughly for more information on each target, as well as our main Focus Areas.

Skyscanner website

    • Vulnerabilities found in any other regional domain with the same codebase (such as*) will be considered the same vulnerability
    • Please note that subdomains (**) are Out of Scope unless otherwise specified

Skyscanner API Gateway


Skyscanner iOS and Android Apps

  • Skyscanner iOS App can be downloaded from the Apple App Store
  • Skyscanner Android App can be downloaded from the Google Play Store
    • Application code in the APK and any data it creates and saves on the device
    • Features or code provided by separate web services will be in scope of the service itself, not the app

Third Party Tools

Vulnerabilities found in third party products are unlikely to be rewarded unless they are unique to our configuration or present a serious business risk (at our discretion).

Focus Areas*

  • Auth0 endpoints should be used only to:
    • Test authentication and session management flows
    • Manually verify potential vulnerabilities like XSS / Open Redirects
  • Out of Scope:
    • Large scale account enumeration or brute force that might lead the lock-out of a real user's account
    • Auth0 endpoints*


  • Anything relating to the Direct Booking flow of the Flights product will be considered as a 'Focus Area'

The Direct Booking flow cannot be reached directly through the above URL. Instead, follow these steps for web and mobile:

  1. To find a route with Direct Booking options, search for Edinburgh (EDI) to London Heathrow (LHR).
  2. Select a date approximately 3 months in advance.
  3. Under the Airlines filter, uncheck every option besides British Airlines.
  4. On the web, press Select on any flight. On mobile, tap on the flight, then press Check Offers.
  5. Click a pink 'Book' button on any available partner to begin the Direct Booking flow.*


  • Anything relating to the Direct Booking flow of the Hotels product will be considered as a 'Focus Area'

The Direct Booking flow cannot be reached directly through the above URL. Instead, follow these steps for web and mobile:

  1. Search for any Hyatt hotel. For example: Hyatt Regency London The Churchill.
  2. Select a date approximately 3 months in advance.
  3. Press See details (on web) or See rates (on mobile). You should then see the a Hyatt-branded page which is the start of the Direct Booking flow.*

  • Only a limited account will be accessible
  • Create an account at
  • This will create a standard account that will not provide you access to any information. Other account types are Out of Scope.
  • We are interested in testing for:
    • Authentication / authorisation controls including access to other partners' data
    • Input validation
    • Remote code execution vulnerabilities

Out of Scope

The following issues are outside the scope of our rewards program:

  • Our policies on presence/absence of SPF/DMARC records.
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
  • Attacks requiring physical access to a user's device.
  • Host header injections unless you can show how they can lead to stealing user data.
  • Reports of spam (i.e., any report involving ability to send emails without rate limits).
  • Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • Social engineering of Skyscanner employees or contractors.
  • Any physical attempts against Skyscanner property or data centers.
  • Any report that discusses how you can learn whether a given username, email address has a Skyscanner account.
  • Any access to data where the targeted user needs to be operating a rooted mobile device.
  • Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
  • Ability to share links without verifying email.
  • Absence of rate limiting, unless related to authentication.
  • IP/Port Scanning via Skyscanner services unless you are able to hit private IPs or Skyscanner servers.
  • Devices (iOS, Android, desktop apps) not getting unlinked on password change.
  • Phishing risk via unicode/punycode or RTLO issues.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.