TripAdvisor
- $50 – $5,000 per vulnerability
Thank you in advance for your contributions to our program! We look forward to working with you to keep TripAdvisor secure.
Bounty Reward Ranges:
| Priority | Tier 1 | Tier 2 | Tier3 |
|---|---|---|---|
| P1 | $5,000 | $3,000 | $1,500 |
| P2 | $1,250 | $900 | $450 |
| P3 | $900 | $400 | $150 |
| P4 | $250 | $150 | $50 |
| P5 | $0 | $0 | $0 |
Table of Contents
- General Program Rules
- Program Scope
- Tier 1 Targets
- Tier 2 Targets
- Tier 3 Targets
- TripAdvisor Mobile
- TripAdvisor Plus
- Vacation Rentals
- Bokun
- Out of Scope
- Safe Harbor
General Program Rules:
Violating program rules may result in your bounty being omitted.
- Interacting with legitimate live properties is strictly forbidden. Even minor actions such as marking a review as helpful are forbidden.
- Interacting with legitimate customers is strictly forbidden. Always use your own accounts to create all entities needed for your testing (e.g. hotel, hotel owner and traveler). Even minor actions such as inviting the customer to a trip are forbidden.
- Do not post inappropriate content and images, even on test properties. Content you submit must be suitable for work and schools environment.
- Identify your activity as belonging to BugCrowd, whether you are performing manual testing or using automated tools:
- Include the string "bugcrowd" in your User-Agent
- Always use accounts containing the word "bugcrowd" when adding any content (i.e. John Bugcrowd or alice.bugcrowd@gmail.com)
- Add "bugcrowd" to one of the fields of any form post not requiring account information
- In the unlikely event of legitimate customer sending you a message, request or similar, please explain that you are using a test account and your property is not real.
- If creating your own property, make sure to follow the rules below. Creating properties in popular tourist areas is strictly forbidden.
| Field | Value |
|---|---|
| First name | Must contain Bugcrowd |
| Last name | Test |
| Property Name | Must contain Bugcrowd |
| City | Atafu (location id 446951) |
| Bank Country | United Kingdom |
| Account Number | 12345678 |
| Sort Code | 70 99 99 |
-
Use test properties whenever possible. Only if the functionality you are trying to test does not exist in test properties, you may create your own property for testing. See the list of test properties below.
You must abide guidelines specific to each scope tier which are listed in sections below.
TripAdvisor Triage and Reporting
- This program adheres to the BugCrowd Vulnerability Rating Taxonomy for the prioritisation/rating of findings.
- This bounty follows BugCrowd’s standard disclosure terms.
- Kudos points awarded will vary based on the priority of your submission. How We Measure Crowd Performance.
- Reports should contain demonstrated practical impact and attack scenario.
- Reports should include full HTTP requests and responses.
- Final decisions on vulnerability priority and bounty amount are made by TripAdvisor security team for each report individually.
Scope and rewards
Program rules
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.