TripAdvisor

  • $50 – $5,000 per vulnerability

Program stats

  • Vulnerabilities rewarded 345
  • Validation within 6 days 75% of submissions are accepted or rejected within 6 days
  • Average payout $254.16 within the last 3 months

Latest hall of famers

Recently joined this program

2604 total

Thank you in advance for your contributions to our program! We look forward to working with you to keep TripAdvisor secure.

Bounty Reward Ranges:

Priority Tier 1 Tier 2 Tier3
P1 $5,000 $3,000 $1,500
P2 $1,250 $900 $450
P3 $900 $400 $150
P4 $250 $150 $50
P5 $0 $0 $0

Table of Contents

  • General Program Rules
  • Program Scope
    • Tier 1 Targets
    • Tier 2 Targets
    • Tier 3 Targets
    • TripAdvisor Mobile
    • TripAdvisor Plus
    • Vacation Rentals
    • Bokun
  • Out of Scope
  • Safe Harbor

General Program Rules:

Violating program rules may result in your bounty being omitted.

  • Interacting with legitimate live properties is strictly forbidden. Even minor actions such as marking a review as helpful are forbidden.
  • Interacting with legitimate customers is strictly forbidden. Always use your own accounts to create all entities needed for your testing (e.g. hotel, hotel owner and traveler). Even minor actions such as inviting the customer to a trip are forbidden.
  • Do not post inappropriate content and images, even on test properties. Content you submit must be suitable for work and schools environment.
  • Identify your activity as belonging to BugCrowd, whether you are performing manual testing or using automated tools:
    • Include the string "bugcrowd" in your User-Agent
    • Always use accounts containing the word "bugcrowd" when adding any content (i.e. John Bugcrowd or alice.bugcrowd@gmail.com)
    • Add "bugcrowd" to one of the fields of any form post not requiring account information
  • In the unlikely event of legitimate customer sending you a message, request or similar, please explain that you are using a test account and your property is not real.
  • If creating your own property, make sure to follow the rules below. Creating properties in popular tourist areas is strictly forbidden.
Field Value
First name Must contain Bugcrowd
Last name Test
Property Name Must contain Bugcrowd
City Atafu (location id 446951)
Bank Country United Kingdom
Account Number 12345678
Sort Code 70 99 99

TripAdvisor Triage and Reporting

  • This program adheres to the BugCrowd Vulnerability Rating Taxonomy for the prioritisation/rating of findings.
  • This bounty follows BugCrowd’s standard disclosure terms.
  • Kudos points awarded will vary based on the priority of your submission. How We Measure Crowd Performance.
  • Reports should contain demonstrated practical impact and attack scenario.
  • Reports should include full HTTP requests and responses.
  • Final decisions on vulnerability priority and bounty amount are made by TripAdvisor security team for each report individually.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.