WestJet's Vulnerability Disclosure Program

  • Points per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

10 vulnerabilities rewarded

Validation within 21 days
75% of submissions are accepted or rejected within 21 days

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

This program is intended as a responsible vulnerability disclosure program for WestJet. If you have found a security issue in a WestJet owned property, please use the submit button in the upper right hand area to submit your report. We appreciate your effort in making WestJet more secure, and thank you for your report! Good luck and happy hunting!


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.


In scope

Target name Type Tags
www.westjet.com Website Testing
  • Akamai CDN
  • Bootstrap
  • Modernizr
  • RequireJS
  • jQuery
  • Lodash
  • Website Testing
www.flyswoop.com Website Testing
  • Website Testing

Out of scope

Target name Type
travel.westjet.com API Testing
biz.westjet.com Website Testing


Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.


-The passenger rights claims functionality: https://www.westjet.com/en-ca/travel-info/flight-interruptions-passenger-rights/claims

  • Cross Origin Resource Sharing (CORS)

  • DO NOT exfiltrate any live client data - ONLY test against accounts you expressly own

  • DO NOT perform any testing that might degrade the user experience on the app - if you have questions, please ask and err on the side of caution

  • DO NOT perform any automated testing against forms or functionalities that go out to support teams or any other group that will have to process your payload

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.