You are hacking on: Expedia Group Bug Bounty

Powered by:

Allows bounty splitting:

Average time to first program response: 6

Average time to bounty awarded null:

Average time to report resolved: 781

Handle expediagroup_bbp

Managed program: true

Name: Expedia Group Bug Bounty

Offers bounties: true

Offers swag: false

Response efficiency percentage: 96

Submission state: open

Url: https://hackerone.com/expediagroup_bbp

Website: https://www.expediagroup.com/

In scope:

Asset identifier: 1245772818

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: https://apps.apple.com/us/app/vrbo-vacation-rentals/id1245772818

Integrity requirements:

Max severity: critical

Asset identifier: 284803487

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the travelocity iOS app https://apps.apple.com/us/app/travelocity-hotels-flights/id284803487

Integrity requirements:

Max severity: critical

Asset identifier: 284971959

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: https://apps.apple.com/us/app/hotels-com-book-your-hotel/id284971959

Integrity requirements:

Max severity: critical

Asset identifier: 403546234

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the Orbitz iOS app https://apps.apple.com/us/app/orbitz-hotels-flights/id403546234

Integrity requirements:

Max severity: critical

Asset identifier: 427916203

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Expedia iOS App https://apps.apple.com/us/app/expedia-hotels-flights-car/id427916203

Integrity requirements:

Max severity: critical

Asset identifier: 483394780

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the ebookers iOS app https://apps.apple.com/us/app/ebookers-hotels-flights/id483394780

Integrity requirements:

Max severity: critical

Asset identifier: 531549799

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the wotif iOS app https://apps.apple.com/au/app/wotif-hotels-flights/id531549799

Integrity requirements:

Max severity: critical

Asset identifier: 566635048

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: [Hotwire iOS App](https://apps.apple.com/us/app/hotwire-last-minute-hotels/id566635048)

Integrity requirements:

Max severity: critical

Asset identifier: 880759727

Asset type: APPLE_STORE_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the cheaptickets iOS app https://apps.apple.com/us/app/cheaptickets-hotels-flights/id880759727

Integrity requirements:

Max severity: critical

Asset identifier: com.cheaptickets

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the cheaptickets Android app https://play.google.com/store/apps/details?id=com.cheaptickets

Integrity requirements:

Max severity: critical

Asset identifier: com.ebookers

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the ebookers Android app https://play.google.com/store/apps/details?id=com.ebookers

Integrity requirements:

Max severity: critical

Asset identifier: com.expedia.bookings

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Expedia Android App https://play.google.com/store/apps/details?id=com.expedia.bookings

Integrity requirements:

Max severity: critical

Asset identifier: com.hcom.android

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: [Hotels Android App](https://play.google.com/store/apps/details?id=com.hcom.android)

Integrity requirements:

Max severity: critical

Asset identifier: com.hotwire.hotels

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: [Hotwire Android App](https://play.google.com/store/apps/details?id=com.hotwire.hotels)

Integrity requirements:

Max severity: critical

Asset identifier: com.orbitz

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the Orbitz Android app https://play.google.com/store/apps/details?id=com.orbitz

Integrity requirements:

Max severity: critical

Asset identifier: com.travelocity.android

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the travelocity Android app https://play.google.com/store/apps/details?id=com.travelocity.android

Integrity requirements:

Max severity: critical

Asset identifier: com.vrbo.android

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: [VRBO Android App](https://play.google.com/store/apps/details?id=com.vrbo.android)

Integrity requirements:

Max severity: critical

Asset identifier: com.wotif.android

Asset type: GOOGLE_PLAY_APP_ID

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: This is the wotif Android app https://play.google.com/store/apps/details?id=com.wotif.android

Integrity requirements:

Max severity: critical

Asset identifier: www.abritel.fr

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.bookabach.co.nz

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.carrentals.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.cheaptickets.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.ebookers.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.ebookers.fi

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.expedia.com

Asset type: URL

Availability requirement: high

Confidentiality requirement: high

Eligible for bounty: true

Eligible for submissions: true

Instruction: Please note the only point-of-sale assets of www.expedia.com are in scope. This includes regional versions of www.expedia.com such as www.expedia.co.in and www.expedia.co.uk. Other sub-domains are out of scope and ineligible for a bounty.

Integrity requirements: high

Max severity: critical

Asset identifier: www.expediaagents.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.expediacruises.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.expediagroup.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.expediapartnercentral.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Partner Central provides tools and information to help Expedia's travel partners manage their listings on Expedia's marketplace. You should be able to sign up, but not to list a non-existent property due to Expedia's verification mechanisms. We are interested in any security issues you may discover along the way that pertains to unauthorized access to or modification of data about users, travelers, financial settings, credit cards, rates, occupancy & promotions.

Integrity requirements:

Max severity: critical

Asset identifier: www.expediapartnersolutions.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.fewo-direkt.de

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.flights.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.hotels.com

Asset type: URL

Availability requirement: medium

Confidentiality requirement: medium

Eligible for bounty: true

Eligible for submissions: true

Instruction: Please note only point of sale assets of www.hotels.com are in scope. This includes regional versions of www.hotels.com such as www.in.hotels.com, www.uk.hotels.com, and www.fr.hotels.com. Other sub-domains are out of scope and ineligible for bounty.

Integrity requirements: medium

Max severity: critical

Asset identifier: www.hotwire.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.hotwirepartnercentral.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.lastminute.co.nz

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Please note *.lastminute.com is NOT owned by Expedia Group and is out of scope.

Integrity requirements:

Max severity: critical

Asset identifier: www.lastminute.com.au

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Please note *.lastminute.com is NOT owned by Expedia Group and is out of scope.

Integrity requirements:

Max severity: critical

Asset identifier: www.mrjet.se

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.orbitz.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.stayz.com.au

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.travelocity.ca

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.travelocity.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.vrbo.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: www.wotif.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical