Skyscanner

  • $100 – $4,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

86 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$825 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Welcome to Skyscanner's Bug Bounty program

Keeping traveller's information safe and secure is a top priority for Skyscanner. We welcome the contribution of security researchers and look forward to rewarding them for their invaluable contribution to the security of all Skyscanner travellers.

We invite researchers to test the Skyscanner website and mobile apps in line with the principles set out in this brief.

Guidelines

We request thorough proof-of-concept/replication of the bug, including videos, images, and a description of the business impact. These will all factor into our bounty decision-making process.

To promote the discovery and reporting of vulnerabilities we ask that you:

  • share the security issue with us in detail
  • act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service)
  • comply with all applicable laws
  • understand that all valid reports will be taken seriously by our engineering teams

Expectations

We expect researchers to follow the program rules:

Researchers must:

  • add the following header to all HTTP requests: Skyscanner-Security: Bugcrowd
  • use your username@bugcrowdninja.com email address for accounts
  • not access or modify our, or travellers' data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
  • contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
  • perform testing and research only within the areas that are in scope
  • follow the Bugcrowd Coordinated Disclosure rules

In addition, we count the following activities as strictly prohibited, and thus not rewardable. These are in addition to the Bugcrowd Vulnerability Rating Taxonomy:

  • Social Engineering attacks
  • DDoS
  • Excessive use of automated vulnerability / scanning tools
    • Please do not spam forms or account creation flows using automated scanners
    • We have a number of rate limits in place that may result in your IP address being blocked if you use such tools
  • Any testing of corporate email (*@skyscanner.net)

We will offer monetary rewards for the first submitted report of a vulnerability.

Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.

We will not negotiate in response to duress or threats (e.g. we will not negotiate the payout amount under threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public).

We reserve the right to deduct a 10% penalty on valid and accepted submissions that do not follow the guidelines mentioned above. Following the guidelines will help us triage the vulnerability more effectively from our side, which should result in faster processing of the submission

We are under no obligation to pay out for any bugs that are not submitted in accordance with this policy or any of the Bugcrowd policies.

We reserve the right to withdraw this scheme at any time and shall have no obligation to pay out for any bugs submitted after closure of the scheme.


Rating & Reward Information:

For the initial prioritization/rating of findings, this program uses the Bugcrowd Vulnerability Rating Taxonomy. However, please note that in some cases, the priority rating will be altered due to reflect the likelihood or impact of an exploit. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We will award greater bounties for all valid submissions contained in our Focus Areas (see Target Information).

Priority Reward range
P1 $2,000 – $4,000*
P2 $900 – $1,500*
P3 $300 – $400
P4 $100 – $150

*The highest rewards will be reserved for submissions deemed to have high business criticality.

Other:

  • Vulnerabilities found in multiple fields in the same form or using the same CSRF token will be counted as a single vulnerability. Subsequent submissions will be marked as Not Applicable. Please detail all affected fields in a single submission.
  • Vulnerabilities that can be exploited with similar payloads on the same path are only eligible for a single reward. Subsequent submissions will be marked Not Applicable.

Safe Harbor compliance

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Targets

In scope

Target name Type Tags
*.skyscanner.net Website Testing
  • Website Testing
  • ReactJS
  • jQuery
  • Lodash
  • nginx
  • Lua
  • Akamai CDN
skyscanner.net/* Website Testing
  • Website Testing
  • ReactJS
  • jQuery
  • Lodash
  • nginx
  • Lua
  • Akamai CDN
gateway.skyscanner.net/* API Testing
  • API Testing
  • HTTP
Skyscanner iOS App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Skyscanner Android App Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
partnerportal.skyscanner.net/* Website Testing
  • Website Testing
  • ReactJS
  • NodeJS
  • ExpressJS
  • Akamai CDN
skyscanner.net/hotels/book/* Website Testing
  • Website Testing
  • ReactJS
  • jQuery
  • Lodash
  • nginx
  • Akamai CDN

Out of scope

Target name Type
Corporate Email (*@skyscanner.net) Other

Target info:

Below is a summary of all the targets we will consider submissions for. Please read this section thoroughly for more information on each target, as well as our main Focus Areas.

Skyscanner website

  • https://*.skyscanner.net/*
    • Vulnerabilities found in any other regional domain with the same codebase (such as skyscanner.fr/*) will be considered the same vulnerability
    • All subdomains are in scope of this programme unless explicitly excluded

Skyscanner iOS and Android Apps

  • Skyscanner iOS App can be downloaded from the Apple App Store
  • Skyscanner Android App can be downloaded from the Google Play Store
    • Application code in the APK and any data it creates and saves on the device
    • Features or code provided by separate web services will be in scope of the service itself, not the app

Focus Areas

skyscanner.net/profile/*

  • Auth0 endpoints should be used only to:
    • Test authentication and session management flows
    • Manually verify potential vulnerabilities like XSS / Open Redirects
  • Important: See the Out of Scope section (below) for issues not in scope

skyscanner.net/book/*

The Direct Booking flow cannot be reached directly through the above URL. Instead, follow these steps for web and mobile:

  1. To find a route with Direct Booking options, search for Edinburgh (EDI) to London Heathrow (LHR).
  2. Select a date approximately 3 months in advance.
  3. Under the Airlines filter, uncheck every option besides British Airlines.
  4. On the web, press Select on any flight. On mobile, tap on the flight, then press Check Offers.
  5. Click a pink 'Book' button on any available partner to begin the Direct Booking flow.

skyscanner.net/hotels/book/*

The Direct Booking flow cannot be reached directly through the above URL. Instead, follow these steps for web and mobile:

  1. Search for any Hyatt hotel. For example: Hyatt Regency London The Churchill.
  2. Select a date approximately 3 months in advance.
  3. Press See details (on web) or See rates (on mobile). You should then see the a Hyatt-branded page which is the start of the Direct Booking flow.

To test the full booking and payment flow, we suggest booking and subsequently cancelling fully-refundable options. Check terms & conditions carefully – we are not responsible for bookings made in error.

partnerportal.skyscanner.net/*

  • Please note that a user account will not be provided
  • We are interested in testing for:
    • Authentication issues
    • Serious information disclosure

Out of Scope

The following issues are outside the scope of our rewards program:

Third Party tools and services:

Vulnerabilities found in third party products or services are not rewardable unless they are unique to our configuration or present a serious business risk (at our discretion).

Out-of-scope on skyscanner.net/profile/*:

  • Password, email and account policies, such as email id verification, reset link expiration, password complexity, session expiry
  • Any report that relates to learning whether a given username, email address has a Skyscanner account.
  • Ability to share links without verifying email.
  • Large scale account enumeration or brute force that might lead the lock-out of a real user's account
  • Auth0 endpoints

Other:

  • Attacks requiring physical access to a user's device.
  • Host header injections unless you can show how they can lead to stealing user data.
  • Reports of spam (i.e., any report involving ability to send emails without rate limits).
  • Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
  • Vulnerabilities affecting users of outdated browsers or platforms.
  • DMARC policies being set to none or SPF policies set to SoftFail.
  • Social engineering of Skyscanner employees or contractors.
  • Any physical attempts against Skyscanner property or data centers.
  • Any access to data where the targeted user needs to be operating a rooted mobile device.
  • Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where attacker can inject image or rich text (HTML), but it is not eligible for a bounty. Pure text injection is out of scope.
  • Absence of rate limiting, unless related to authentication.
  • IP/Port Scanning via Skyscanner services unless you are able to hit private IPs or Skyscanner servers.
  • Devices (iOS, Android, desktop apps) not getting unlinked on password change.
  • Phishing risk via unicode/punycode or RTLO issues.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.