TripAdvisor

  • $100 – $5,000 per vulnerability

Program stats

  • Vulnerabilities rewarded 302
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $300 within the last 3 months

Latest hall of famers

Recently joined this program

Thank you in advance for your contributions to our program! We look forward to working with you to keep TripAdvisor secure.

Bounty Reward Ranges:

Priority Tier 1 Tier 2 Tier3
P1 $5,000 $3,000 $1,500
P2 $2,500 $1,800 $900
P3 $1,800 $800 $300
P4 $500 $300 $100
P5 $0 $0 $0

Table of Contents

  • General Program Rules
  • Program Scope
    • Tier 1 Targets
    • Tier 2 Targets
    • Tier 3 Targets
    • TripAdvisor Mobile
    • TripAdvisor Plus
    • Vacation Rentals
    • Bokun
  • Out of Scope
  • Safe Harbor

General Program Rules:

Violating program rules may result in your bounty being omitted.

  • Interacting with legitimate live properties is strictly forbidden. Even minor actions such as marking a review as helpful is forbidden.
  • Interacting with legitimate customers is strictly forbidden. Always use your own accounts to create all entities (e.g. hotel owner and traveler) needed for your testing. Even minor actions such as marking forum comment as helpful is forbidden.
  • In the unlikely event of legitimate customer sending you a message, request or similar, you must explain that you are using a test account and your property is not real.
  • Do not post inappropriate content and images, even on test properties. Content you submit must be suitable for work and schools environment.
  • Identify your activity as belonging to BugCrowd, whether you are performing manual testing or using automated tools:
    • Include the string "bugcrowd" in your User-Agent
    • Always use accounts containing the word "bugcrowd" when adding any content (i.e. John Bugcrowd or alice.bugcrowd@gmail.com)
    • Add "bugcrowd" to one of the fields of any form post not requiring account information
  • If creating your own property, make sure to follow the rules below. Creating properties in popular tourist areas is strictly forbidden.
Field Value
First name Must contain Bugcrowd
Last name Test
Mobile +44 7700 900000
Property Name Must contain Bugcrowd
City Atafu (location id 446951)
Bank Country United Kingdom
Account Number 12345678
Sort Code 70 99 99

TripAdvisor Triage and Reporting

  • This program adheres to the BugCrowd Vulnerability Rating Taxonomy for the prioritisation/rating of findings.
  • This bounty follows BugCrowd’s standard disclosure terms.
  • Kudos points awarded will vary based on the priority of your submission. How We Measure Crowd Performance.
  • Reports should contain demonstrated practical impact. For example, subdomain takeover priority can be P5 as well as P1 depending on the data flowing through the subdomain. Make sure to answer the question "What could an attacker do with submitted vulnerability". For example, taking over a subdomain that is not used at all has no impact and will be considered P5.
  • Reports should include full HTTP requests and responses.
  • Final decisions on vulnerability priority and bounty amount are made by TripAdvisor security team for each report individually.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.