Hyatt Is Offering Bounties Of Up To $4,000 If You Can Hack Its Websites


Some links to products and travel providers on this website will earn Traveling For Miles a commission which helps contribute to the running of the site – I’m very grateful to anyone who uses these links but their use is entirely optional. The compensation does not impact how and where products appear on this site and does not impact reviews that are published. For more details please see the advertising disclosure found at the bottom of every page.


Cyber crime is a thing we have to live with nowadays and announcements of major hacks seem to be getting more commonplace.

The Equifax hack was probably the most publicised hack from the past 18  months but the recent admission by Marriott that details of up to 383 million guests were compromised makes the hotelier the victim of one of the largest hacks so far….and things won’t stop there.

I can’t imagine a time when hackers won’t be a threat to corporations that handle millions of people’s data so it’s always good to see one of these entities making an obvious effort to combat the risks it faces…and that’s what Hyatt appears to be doing right now.

Hyatt has just launched a “Public Bug Bounty Program” in which it is inviting “ethical hackers” to test its websites and mobile apps for potential vulnerabilities.

Here’s how Hyatt describes what it’s offering:

Through the bug bounty program, security researchers will be able to earn cash rewards, also known as bounties, if they report valid security flaws on Hyatt.com, m.hyatt.com, world.hyatt.com, and the iOS and Android versions of the Hyatt mobile app so they can be safely resolved. All ethical hackers that have agreed to HackerOne’s terms and conditions, and adhere to disclosure guidelines are eligible to participate in this program.

The hotelier has set up a website with more information for anyone who’s interested in participating and it is offering bounties on a sliding scale to anyone notifying it of vulnerabilities in its systems.

Here’s what Hyatt has to say about the rewards:

In-scope vulnerabilities will be rewarded based on severity following remediation. The Hyatt Bug Bounty program will only accept HackerOne vulnerability reports containing original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and or availability of the services in scope.

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of Hyatt Hotels.

The program is already in full flow and, from the information available on the HackerOne website it looks as if some vulnerabilities have already been reported and addressed….

…and a few bounties paid out too….although clearly no critical issues have been brought to Hyatt’s attention yet.

I’d love to know how many critical and high risk vulnerabilities participants find in Hyatt’s systems but the disclosure policy for this program clearly states that hackers are not allowed to discuss vulnerabilities (even resolved ones) outside of the program….so I guess we may never find out.

Unsurprisingly there are a whole raft of things Hyatt does not want its hackers to do (like collect guest information if they come across it) and those are clearly laid out in the guidelines of the program….but I can’t help but wonder if a hacker wouldn’t be tempted if he/she was to find a truly significant weakness.

Let’s hope not!

Overall it’s good to see Hyatt doing this as, at the very least,  it shows that it is making an effort not to find itself in the position Marriott is in – compromised, embarrassed and looking somewhat inept – and has to be a good thing.

Any readers out there with the skills needed to test Hyatt’s security?

Featured image courtesy of Wiki Commons Media

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here