• $200 – $4,500 per vulnerability
  • Partial safe harbor

Program stats

  • Vulnerabilities rewarded 186
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $1,350 within the last 3 months

Latest hall of famers

Recently joined this program

2520 total


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Viator.

Every day new security issues and attack vectors are created. Viator strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

We would like to get as broad coverage as possible but we also have to be sensitive to our suppliers, as well as our users, so we would like all testing to be done with an awareness that some actions will directly affect many people outside of our company. For example, a review of a tour which contains incorrect statements about the tour could negatively affect future bookings for that tour and the supplier.

Another example is making test bookings on production for real products and suppliers. The supplier may not necessarily be aware they are test bookings. This can result in unused inventory for the supplier. Accordingly, we request that testers abide by the guidelines below.

Our primary interest is finding security holes. We are not at this time interested in attacks on content quality, vulnerability to spamming, manipulation of tour ratings, or manipulation of user generated content (user submitted tour reviews and photos).

Test booking guidelines:

Whenever making any test bookings, signing up as a partner, or initiating any Live Chats always use BUGCROWD in the name or language

We would request that you keep test bookings to a minimum. But they are possible and necessary to test the payment and post-purchase workflows on our systems.

To make a test booking please follow the following rules...

  • Make sure the surname for all travellers is TEST
  • Make sure you add "This is a test booking - please ignore" in the Special Requirements field
  • Please only book the following product codes: 73111P1, 73111AUTOTEST1, 73111AUTOTEST5, 73111AUTOTEST8, 73111AUTOTEST10 -- Note: to use a test product you'll need to search for it directly in the search box on the homepage -- Test products do not return in product searches and are not on any of the listings pages -- URL will look like this:
  • Make sure it is booked for a date at least 3 months in advance
  • Use your own credit card to complete the booking
  • Once your testing is complete please go into the booking self service screen and cancel your booking for a full refund to your credit card. Please make sure to do this at least 2 months before the original booking date

To make a test Suppliers through Viator's supplier sign up page, start the supplier name with BUGCROWD

Please make sure to accurately follow the above steps to avoid a charge to your credit card

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.