TripAdvisor Vulnerability Disclosure Program

  • $100 – $5,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

27 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$350 average payout (last 3 months)

Latest hall of famers

Recently joined this program

324 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Thank you in advance for your contributions to our program! We look forward to working with you to keep TripAdvisor secure.

Guidelines

Note that if these are not followed, your submission will be considered as Out-of-Scope.

  • When performing an action specific to a property or location, please use test properties where possible. If the behavior you are trying to test is unreachable, you may use real properties; but please refrain from doing so unless absolutely necessary. This is especially true when posting content.
  • Vacation rental inquiries are only permissible on test properties (see below)
  • Hotel Q/A questions should only be done on test properties (see below)
  • When writing reviews, or other forms of user generated content, on real properties, do not include any text which a user may mistake for real content. Also, do not include any inappropriate content, such as swear words. As required, use a bubble rating that matches the overall rating of the property. All test UGC (User Generated Content) submitted should be removed from the live site as soon as practical, once the test is complete
  • Adding new listings is permissible, but with the same restrictions as reviews.
  • Similarly, if uploading photos, the photos should not be mistakable for actual photos of the property and should not be inappropriate.
  • Do not add any content in Italy, France, or the UK (Great Britain, N. Ireland, Scotland)
  • Do not mark reviews helpful or report them as inappropriate except on test properties.
  • Do not contact other users of the site.
  • Booking hotel rooms is permissible, but be aware of the cancellation policies and cancel as soon as possible.
  • Reserving restaurant tables is permissible, but be sure to use a valid email address and cancel the reservation immediately.
    • Do reservations sparingly since restaurants are often small businesses with very limited inventory.
    • Do not reserve multiple tables in the same restaurant and be sure to make reservations for at least 4 weeks in the future
  • This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
  • This bounty follows BugCrowd’s standard disclosure terms.
  • Kudos points awarded will vary based on the priority of your submission. How We Measure Crowd Performance.
    • Please note: points for duplicates are not awarded until the priority of the original bug it duplicates is confirmed.

TripAdvisor Process

Researcher engagement is our top priority; in an effort to maximize transparency with researchers on our program, the process we use for handling issues submitted to us is as follows:

  • Once you submit an issue, the BugCrowd analysts need time to triage the submission. This takes several days.
  • If the analysts have questions for the researchers or for TripAdvisor, this process may take longer.
  • TripAdvisor leverages automated processing to fetch triaged issues in to our system.
  • After being imported in to TripAdvisor, the issue remains in a triaged state while we investigate the issue.
  • For P1/P2 issues, we aim to complete our triage within one business week of the issue being imported.
  • For other issues, it may take us up to three business weeks to triage the issue.
  • We have automated processes which auto-accept most issues if our teams cannot get to the issue in time.
  • The automated process will mark issues as resolved once closed in our system. It is safe to retest at this point.
  • TripAdvisor reserves the ability to change the priority of a submission based on business risk and impact. If we downgrade one of your submissions based on real world impact, we will comment in the submission and give you the opportunity to demonstrate higher impact if possible
  • As we improve our processes and integration, some issues may fall through the cracks of the automated system.
  • Payments are not yet automated. We manually review issues that require payment at least once per week. Please allow one week after acceptance for us to issue payment.
  • We receive alerting and manually review issues that are not handled correctly by the manual process.
  • Please do not hesitate to try and contact us or BugCrowd if your issue has not been accepted within the times listed above. We are actively working to refine our process and import jobs.

Bounties

This program offers rewards for submissions based on the impacted domain.

Domains Eligible for Tier 1 Rewards

  • api.tapayments.com
  • api1.tapayments.com
  • api2.tapayments.com
  • partnerapi.tapayments.com
  • partnerapi1.tapayments.com
  • partnerapi2.tapayments.com
  • walletproxy.tapayments.com
  • walletproxy1.tapayments.com
  • walletproxy2.tapayments.com

Domains Eligible for Tier 2 Rewards

  • www.tripadvisor.com
  • api.tripadvisor.com
  • Any localized version of www.tripadvisor.com available from the site's header or footer.
  • service.platform.tripadvisor.com
  • gwapi.tripadvisor.com
  • gwapi1.tripadvisor.com
  • gwapi2.tripadvisor.com

Domains Eligible for Tier 3 Rewards

  • all other eligible entries not specifically listed in a higher tier.

Rewards

Category Tier 1 Tier 2 Tier 3
P1 USD $5,000 USD $3,000 USD $1,500
P2 USD $1,800 USD $1,800 USD $900
P3 USD $600 USD $600 USD $300
P4 USD $200 USD $200 USD $100
P5 USD $0 USD $0 USD $0
  • Duplicate submissions: USD $0
  • Invalid/out-of-scope submissions: USD $0

Targets

In scope

Target name Type
Any publicly accessible TripAdvisor web asset or host (domains, ip space, etc) - except for what’s explicitly listed as Out-of-Scope below Website

Out of scope

Target name Type
*boards.cruisecritic.* Website
*forums.cruisecritic.* Website
messages.cruisecritic.* Website
*.cruisecritic.*/rollcall/entry_cl.cfm* Website
https://www.cruisecritic.com/rollcall/entry_cl.cfm.* Website
https://www.cruisecritic.co.uk/rollcall/entry_cl.cfm.* Website
https://www.cruisecritic.com.au/rollcall/entry_cl.cfm.* Website

Testing API

You may use the following API key: adf6d1b8-0aca-4b0c-a492-50530aadd7aa

Test Properties:

Test Hotels

Test Vacation Rentals

Test Restaurants

Test Attractions

Out-of-Scope

  • Sites owned by TripAdvisor Media Group but operate independently such as SmarterTravel, Viator, LaForchette, etc.
  • Domains owned by TripAdvisor but operated by third parties in order to provide a service to TripAdvisor are out of scope.
    • For example, click.e.tripadvisor.com is a domain owned by TripAdvisor but operated by ExactTarget in order to track clicks from emails we send via their platform, and is thus out-of-scope.
    • However, rd.deals.tripadvisor.com is a domain owned by TripAdvisor but operated by JetSetter and is in scope because JetSetter is a TAMG company (not a third party).
    • Sites hosted in the cloud may or may not be in-scope. It will depend on who is operating the application and if it's providing a service as part of a larger offering as opposed to just hosting an application developed for TripAdvisor. (an example of something OOS would be SaaS apps such as Zendesk that may be leveraged by TA, but are not running custom-built code expressly for TA).
    • Partial list of sites that are out of scope as a result of this rule: *.e.tripadvisor.*, ir.tripadvisor.com, t1.tacdn.com
    • This exclusion does not apply to domains being served via third party Content Delivery Networks such as Akamai and Edgecast. These domains are in-scope but the third party systems they traverse are not.
  • Content fraud such as inflating or deflating a property's rating, insertion of bogus properties within the listings or raising the helpful vote count of a review.
  • Exploits around mass content submission, account creation or spamming.
  • Disruption of service either through DOS attacks, exploitation of performance problems, or trying to fill up a database.
  • Social engineering attacks.
  • Attacks requiring physical access to TripAdvisor locations or property,
  • Exploits against mobile applications requiring physical access to the device or that require warranty voiding actions (e.g., rooting the device).
  • Exploits against the site from webviews within mobile applications NOT published by TripAdvisor.

Out of Scope Domains

  • flights.tripadvisor.com
  • ir.tripadvisor.com
  • t1.tacdn.com, and any other CDN network issues. TripAdvisor specific content on CDNs in scope.
  • *.gateguru.*, gateguru.herokuapp.com, *.gateguruapp.*
  • *.e1.tripadvisor.*, *.e2.tripadvisor.*, *.e3.tripadvisor.*, *.e4.tripadvisor.*
  • jg.corp.tripadvisor.com
  • engineering.tripadvisor.com, & blog.tripadvisor.com.
  • tripadvisor.com/engineering, and any other aliases to out of scope sub-domains.
  • *.citymaps.com, *.citymaps.io, *.ctym.ps, & all related citymaps domains.
  • www.virtualtourist.com (vtourist.com, virtualtourist.fr, virtualtouriste.fr)
  • *.tripbod.com
  • rentals.tripadvisor.com, *.housetrip.com, *.niumba.com, *.holidaylettings.co.uk, *.holidaylettings.com, *.flipkey.com, bm.niumba.com, bm.housetrip.com, bm.flipkey.com, bm.holidaylettings.co.uk and TripAdvisor Owner App
  • *.toursgds.com, viatorinc.com, *.viatorcom.se, *.viatorcom.no, *.viatorcom.nl, *.viator.com, *.viatorcom.fr, *.viatorcom.de, https://viatorapi.viator.com/service/directory, and Viator Tours & Activities for iOS and Android
  • All Smarter Travel domains, including but not limited to:
    • *.smartertravel.com
    • *. jetsetter.com
    • *.tingo.com
    • *.familyvacationcritic.com
    • *.independenttraveler.com
    • *.holidaywatchdog.com
    • *.holidaylettings.co.uk
    • *.airfarewatchdog.com
    • *.onetime.com
    • *.oyster.com
    • *.virtualtourist.com
    • *.bookingbuddy.com
    • *.smartertravel.net
  • All La Fourchette domains, including but not limited to:
    • *.thefork.com
    • *.theforkmanager.com
    • *.lafourchette.com
    • *.myfourchette.com
    • *.bloglafourchette.com
    • *.eltenedor.es
    • *couverts.nl
    • *.dimmi.com.au
    • *.mytable.it
    • *.iens.nl
    • *.eatigo.com
  • All Viator domains.
  • All domains relating to forums on cruisecritic: *boards.cruisecritic.*, *forums.cruisecritic.*, messages.cruisecritic.*, or any other related cnames.
  • [Update 2019-03-08] Any cruise critic /rollcall/entry_cl.cfm end points.
  • Domains owned by companies for which TAMG only has a minority investment in. Including, but not limited to, traxo.com. If in doubt as to whether a target applies here, please create a submission asking if the particular app/target is in or out of scope.

If your submission is marked "Won't Fix"…

TripAdvisor wants to reward the hard work of security researchers working to improve our site. While we strive to address all known flaws, there are some situations in which we are unable to accept submissions.

Examples:

  • The issue’s priority may be very low on the VRT.
  • The issue occurs on a product or feature soon to be obsoleted.
  • It may only be exposing any information that is considered public.
  • Some business partners may not yet be able to support certain security features.
  • We may not be able to resolve the issue in a near time-frame, i.e., within 6-12 months.
  • The issue may be mitigated by manual review or other off-line detection processes.

While the term "Won't Fix" implies a final state, we may certainly revisit the issue further down the road. TripAdvisor products are constantly being re-worked and improved. We review each denied submission on a case by case basis in order to determine how best to reward the researcher for their effort.

We reward researchers monetarily for “won’t fix” issues so long as the following conditions are met:

  • The submission must represent an important security flaw. Low priority or issues that only expose public information are not viable for payment.
  • The submission must be unique and must not share underlying flaws with other issues.
  • The researcher must have demonstrated significant effort in producing the submission.
  • Out-of-scope, non-applicable, or unreproducible issues do not apply.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.