Skyscanner launches its own vulnerability bounty program

The travelers’ website will launch a vulnerability bounty program; ethical hackers may receive up to $2k USD per report

Skyscanner, a popular travel search website, has announced the creation of its own public vulnerability bounty program. According to network security and ethical hacking experts from the International Institute of Cyber Security, the company offers rewards of up to $2k USD per vulnerability reported.

The company already had a limited bug bounty program, which allowed them to find and solve more than 200 security errors in their systems. Now, Skyscanner has extended its rewards program for any network security specialist who finds a flaw in the travel company’s infrastructure.

“In the most recent years we have implemented a successful private rewards program. Today, to strengthen our information security policies, we have extended the program to the general public. We want to make sure that our customers enjoy the best experience when using Skyscanner,” says the company’s statement. 

The program includes the vulnerabilities found on the official website skyscanner.net, the regional domains, the gateway.skyscanner.net API, iOS and Android mobile apps and the partnerportal.skyscanner.net website. “We invite any specialists interested to conduct tests on our website and mobile applications according to the processes and guidelines established by the program”.

The company will pay for the flaws present in the different sections of the Skyscanner platforms, like user profile, reservations and partner portal. Network security experts who participate in the program will not be able to modify or access the travelers’ information without the prior explicit consent of data holders”.

Skyscanner strongly requests the specialists to adhere to the established guidelines, since they face penalties of at least 10% of the reward if the report is valid, but it does not comply with the rules of the program.

The program establishes payments of up to $1.5k USD and $2.0k USD for reporting security configuration errors, server issues, authentication flaws, confidential information leaking, and more. The priority and rewards scale is:

Priority 1 Between $1500 & $2000 USD
Priority 2 Between $900 & $1200 USD
Priority 3 Between $300 & $400 USD
Priority 4 Between $100 & $200 USD

“It is important to mention that, on some occasions, the priority of reports may be affected by the impact or likelihood of it being exploited. In this case, the Skyscanner team will duly notify the specialists of the reasons why a report may receive a lesser reward, and also have the opportunity to appeal the decision and submit a new report”, concludes Skyscanner’ announcement.