Viator

  • $200 – $4,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

148 vulnerabilities rewarded

Validation within about 11 hours
75% of submissions are accepted or rejected within about 11 hours

$250 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Viator.

Every day new security issues and attack vectors are created. Viator strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

We would like to get as broad coverage as possible but we also have to be sensitive to our suppliers, as well as our users, so we would like all testing to be done with an awareness that some actions will directly affect many people outside of our company. For example, a review of a tour which contains incorrect statements about the tour could negatively affect future bookings for that tour and the supplier.

Another example is making test bookings on production for real products and suppliers. The supplier may not necessarily be aware they are test bookings. This can result in unused inventory for the supplier. Accordingly, we request that testers abide by the guidelines below.

Our primary interest is finding security holes. We are not at this time interested in attacks on content quality, vulnerability to spamming, manipulation of tour ratings, or manipulation of user generated content (user submitted tour reviews and photos).

Test booking guidelines:

Whenever making any test bookings, signing up as a partner, or initiating any Live Chats always use BUGCROWD in the name or language

We would request that you keep test bookings to a minimum. But they are possible and necessary to test the payment and post-purchase workflows on our systems.

To make a test booking please follow the following rules...

  • Make sure the surname for all travellers is TEST
  • Make sure you add "This is a test booking - please ignore" in the Special Requirements field
  • Please only book the following product codes: 73111P1, 73111AUTOTEST1, 73111AUTOTEST5, 73111AUTOTEST8, 73111AUTOTEST10 -- Note: to use a test product you'll need to search for it directly in the search box on the homepage -- Test products do not return in product searches and are not on any of the listings pages -- URL will look like this: https://www.viator.com/tours/Barcelona/Automated-Test-Product-Only/d562-73111AUTOTEST10
  • Make sure it is booked for a date at least 3 months in advance
  • Use your own credit card to complete the booking
  • Once your testing is complete please go into the booking self service screen and cancel your booking for a full refund to your credit card. Please make sure to do this at least 2 months before the original booking date

To make a test Suppliers through Viator's supplier sign up page, start the supplier name with BUGCROWD

Please make sure to accurately follow the above steps to avoid a charge to your credit card

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.