Instruction: **Policy Guidance**
We are not currently providing credentials for this asset.
**Rules of Engagement**
- In request headers use 'hackerone-{your username}' for user-agent
- Keep low volume of requests - Automated testing is not permitted
- Do not Fuzz Contact forms
- Do not Fuzz "Request Account Activation" & "Request Product Activation"
- Do not Fuzz request for "Change Request under Sites"
- Do not modify other hacker_* user accounts under Hacker one test account
**Non-Qualifying Vulnerabilities and Exclusions**
- CSRF
Integrity requirements: high
Max severity: critical
Asset identifier: api.rezserver.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: **Rezserver API**
_Policy Guidance_
We are not currently providing credentials for this asset.
_Rules_
- Don't use automated tools or scanners
- Don't DDoS
_Out of scope vulnerabilities_
- Missing best practices in HTTP header configuration.
- Any activity that could lead to the disruption of our service (DoS)
- Missing best practices in SSL/TLS configuration
- Account/email enumeration issues
- Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly)
- Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure
_Endpoints out of scope_
- Hotel: BookRequest
- Air: All endpoints
- Car: All endpoints
- Custom: All endpoints
