This program is intended as a responsible vulnerability disclosure program for WestJet. If you have found a security issue in a WestJet owned property, please use the submit button in the upper right hand area to submit your report. We appreciate your effort in making WestJet more secure, and thank you for your report! Good luck and happy hunting!
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Out of scope
Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.
-The passenger rights claims functionality: https://www.westjet.com/en-ca/travel-info/flight-interruptions-passenger-rights/claims
Cross Origin Resource Sharing (CORS)
DO NOT exfiltrate any live client data - ONLY test against accounts you expressly own
DO NOT perform any testing that might degrade the user experience on the app - if you have questions, please ask and err on the side of caution
DO NOT perform any automated testing against forms or functionalities that go out to support teams or any other group that will have to process your payload
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via email@example.com before going any further.