TripAdvisor
- $100 – $5,000 per vulnerability
Thank you in advance for your contributions to our program! We look forward to working with you to keep TripAdvisor secure.
Bounty Reward Ranges:
| Priority | Tier 1 | Tier 2 | Tier3 |
|---|---|---|---|
| P1 | $5,000 | $3,000 | $1,500 |
| P2 | $2,500 | $1,800 | $900 |
| P3 | $1,800 | $800 | $300 |
| P4 | $500 | $300 | $100 |
| P5 | $0 | $0 | $0 |
Table of Contents
- General Program Rules
- Program Scope
- Tier 1 Targets
- Tier 2 Targets
- Tier 3 Targets
- TripAdvisor Mobile
- TripAdvisor Plus
- Vacation Rentals
- Bokun
- Out of Scope
- Safe Harbor
General Program Rules:
Violating program rules may result in your bounty being omitted.
- Interacting with legitimate live properties is strictly forbidden. Even minor actions such as marking a review as helpful is forbidden.
- Interacting with legitimate customers is strictly forbidden. Always use your own accounts to create all entities (e.g. hotel owner and traveler) needed for your testing. Even minor actions such as marking forum comment as helpful is forbidden.
- In the unlikely event of legitimate customer sending you a message, request or similar, you must explain that you are using a test account and your property is not real.
- Do not post inappropriate content and images, even on test properties. Content you submit must be suitable for work and schools environment.
- Identify your activity as belonging to BugCrowd, whether you are performing manual testing or using automated tools:
- Include the string "bugcrowd" in your User-Agent
- Always use accounts containing the word "bugcrowd" when adding any content (i.e. John Bugcrowd or alice.bugcrowd@gmail.com)
- Add "bugcrowd" to one of the fields of any form post not requiring account information
- If creating your own property, make sure to follow the rules below. Creating properties in popular tourist areas is strictly forbidden.
| Field | Value |
|---|---|
| First name | Must contain Bugcrowd |
| Last name | Test |
| Mobile | +44 7700 900000 |
| Property Name | Must contain Bugcrowd |
| City | Atafu (location id 446951) |
| Bank Country | United Kingdom |
| Account Number | 12345678 |
| Sort Code | 70 99 99 |
-
Use test properties whenever possible. Only if the functionality you are trying to test does not exist in test properties, you may create your own property for testing. See the list of test properties below.
You must abide guidelines specific to each scope tier which are listed in sections below.
TripAdvisor Triage and Reporting
- This program adheres to the BugCrowd Vulnerability Rating Taxonomy for the prioritisation/rating of findings.
- This bounty follows BugCrowd’s standard disclosure terms.
- Kudos points awarded will vary based on the priority of your submission. How We Measure Crowd Performance.
- Reports should contain demonstrated practical impact. For example, subdomain takeover priority can be P5 as well as P1 depending on the data flowing through the subdomain. Make sure to answer the question "What could an attacker do with submitted vulnerability". For example, taking over a subdomain that is not used at all has no impact and will be considered P5.
- Reports should include full HTTP requests and responses.
- Final decisions on vulnerability priority and bounty amount are made by TripAdvisor security team for each report individually.
Scope and rewards
Program rules
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.