TripAdvisor Vulnerability Disclosure Program

  • Points per vulnerability
  • Managed by Bugcrowd

Program stats

12 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Thank you in advance for your contributions to our program! We look forward to working with you to keep TripAdvisor secure.

Guidelines

Note that if these are not followed, your submission will be considered as Out-of-Scope.

  • When performing an action specific to a property or location, please use test properties where possible. If the behavior you are trying to test is unreachable, you may use real properties; but please refrain from doing so unless absolutely necessary. This is especially true when posting content.
  • Vacation rental inquiries are only permissible on test properties (see below)
  • Hotel Q/A questions should only be done on test properties (see below)
  • When writing reviews, or other forms of user generated content, on real properties, do not include any text which a user may mistake for real content. Also, do not include any inappropriate content, such as swear words. As required, use a bubble rating that matches the overall rating of the property. All test UGC (User Generated Content) submitted should be removed from the live site as soon as practical once the test is complete
  • Adding new listings is permissible, but with the same restrictions as reviews
  • Similarly, if uploading photos, the photos should not be mistakable for actual photos of the property and should not be inappropriate
  • Do not add any content in Italy, France, or the UK (Great Britain, N. Ireland, Scotland)
  • Do not mark reviews helpful or report them as inappropriate except on test properties
  • Do not contact other users of the site
  • Booking hotel rooms is permissible, but be aware of the cancellation policies and cancel as soon as possible
  • Reserving restaurant tables is permissible, but be sure to use a valid email address and cancel the reservation immediately
    • Do reservations sparingly since restaurants are often small businesses with very limited inventory
    • Do not reserve multiple tables in the same restaurant and be sure to make reservations for at least 4 weeks in the future

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

If you submit a valid P1 or P2 submission, you may have the opportunity to be invited to the TripAdvisor Private Paid program. These invites will be sent on a weekly basis.

Targets

In scope

Target name Type
Any publicly accessible TripAdvisor web asset or host (domains, ip space, etc) - except for what’s explicitly listed as Out-of-Scope below Website

Test Properties:

Please only use the following properties when performing testing.

Test Hotels

Test Vacation Rentals

Test Restaurants

Test Attractions

Out-of-Scope

  • Sites owned by TripAdvisor Media Group but operate independently such as SmarterTravel, Viator, LaForchette, etc.
  • Domains owned by TripAdvisor but operated by third parties in order to provide a service to TripAdvisor are out of scope.
    • For example, click.e.tripadvisor.com is a domain owned by TripAdvisor but operated by ExactTarget in order to track clicks from emails we send via their platform, and is thus out-of-scope.
    • However, rd.deals.tripadvisor.com is a domain owned by TripAdvisor but operated by JetSetter and is in scope because JetSetter is a TAMG company (not a third party).
    • Sites hosted in the cloud may or may not be in-scope. It will depend on who is operating the application (3rd party or TA) and if it's providing a service as part of a larger offering as opposed to just hosting an application developed for TripAdvisor (an example of something OOS would be SaaS apps such as Zendesk that may be leveraged by TA, but are not running custom-built code expressly for TA).
    • Partial list of sites that are out of scope as a result of this rule: *.e.tripadvisor.*, ir.tripadvisor.com, t1.tacdn.com
    • This exclusion does not apply to domains being served via third party Content Delivery Networks such as Akamai and Edgecast. These domains are in-scope but the third party systems they traverse are not.
  • Content fraud such as inflating or deflating a property's rating, insertion of bogus properties within the listings or raising the helpful vote count of a review.
  • Exploits around mass content submission, account creation or spamming.
  • Disruption of service either through DOS attacks, exploitation of performance problems, or trying to fill up a database.
  • Social engineering attacks.
  • Attacks requiring physical access to TripAdvisor locations or property,
  • Exploits against mobile applications requiring physical access to the device or that require warranty voiding actions (e.g., rooting the device).
  • Exploits against the site from webviews within mobile applications NOT published by TripAdvisor.

Out of Scope Domains

  • flights.tripadvisor.com
  • ir.tripadvisor.com
  • t1.tacdn.com, and any other CDN network issues. TripAdvisor specific content on CDNs in scope.
  • *.gateguru.*, gateguru.herokuapp.com, *.gateguruapp.*
  • *.e1.tripadvisor.*, *.e2.tripadvisor.*, *.e3.tripadvisor.*, *.e4.tripadvisor.*
  • jg.corp.tripadvisor.com
  • engineering.tripadvisor.com, & blog.tripadvisor.com.
  • tripadvisor.com/engineering, and any other aliases to out of scope sub-domains.
  • *.citymaps.com, *.citymaps.io, *.ctym.ps, & all related citymaps domains
  • www.virtualtourist.com (vtourist.com, virtualtourist.fr, virtualtouriste.fr)
  • *.tripbod.com
  • rentals.tripadvisor.com, *.housetrip.com, *.niumba.com,\ *.holidaylettings.co.uk,*.holidaylettings.com, *.flipkey.com, bm.niumba.com, bm.housetrip.com, bm.flipkey.com, bm.holidaylettings.co.uk and TripAdvisor Owner App
  • *.toursgds.com, viatorinc.com, *.viatorcom.se, *.viatorcom.no, *.viatorcom.nl, *.viator.com, *.viatorcom.fr, *.viatorcom.de, https://viatorapi.viator.com/service/directory, and Viator Tours & Activities for iOS and Android
  • All Smarter Travel domains, including but not limited to:
    • *.smartertravel.com \ *. jetsetter.com \ *.tingo.com \ *.cruisecritic.co.uk \ *.cruisecritic.com \ *.familyvacationcritic.com \ *.independenttraveler.com \ *.holidaywatchdog.com \ *.holidaylettings.co.uk \ *.airfarewatchdog.com \ *.onetime.com \ *.oyster.com \ *.virtualtourist.com \ *.bookingbuddy.com \ *.smartertravel.net
  • All La Fourchette domains, including but not limited to:
    • *.thefork.com \ *.theforkmanager.com \ *.lafourchette.com \ *.myfourchette.com \ *.bloglafourchette.com \ *.eltenedor.es \ *couverts.nl \ *.dimmi.com.au \ *.mytable.it \ *.iens.nl \ *.eatigo.com
  • All Viator domains.
  • Domains owned by companies for which TAMG only has a minority investment in. Including, but not limited to, traxo.com. If in doubt as to whether a target applies here, please create a submission asking if the particular app/target is in or out of scope.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.