Hyatt Hotels launches bug bounty program

The company has turned to external help to prevent data breaches from ever affecting its properties again.
Written by Charlie Osborne, Contributing Writer

Hyatt Hotels has launched a bug bounty program in light of recent card-skimming attacks against the hospitality chain.

On Wednesday, the company said the new initiative will be hosted on bug bounty program HackerOne and is designed to allow Hyatt to "tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities."

Ethical hackers can use the platform -- as well as rival services such as Bugcrowd -- to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft.

The bug bounty program is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.

Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.  

CNET: Twitter messages to Russian cybersecurity firm helped NSA leak probe

Hyatt has chosen to use the Common Vulnerability Scoring Standard (CVSS) standard to evaluate the severity of security flaws found.

Researchers who report valid, high-severity flaws can expect rewards of up to $4,000; important bugs will earn them $1,200 and less severe vulnerabilities are worth between $300 and $600.

"At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day," said Hyatt Chief Information Security Officer Benjamin Vaughn. "As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information."  
In a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards which have already been issued at the time of writing. 

TechRepublic: WordPress users beware: These 10 plugins are most vulnerable to attacks
It is unfortunately quite common for hotel chains and others in the hospitality space to become the focus of cyberattacks due to the vast amount of valuable data these businesses process and store.

Hard Rock Hotels & Casinos, Loews Hotels, Radisson Hotel Group, the Trump Hotel Collection, Marriott, and Hyatt Hotels itself is on the list of organizations which have experienced successful cyberattacks in recent years.

In 2015, 250 properties managed by Hyatt across countries including the US, UK, China, Germany, Japan, Italy, France, Russia, and Canada were subject to a cyberattack. Information-stealing malware was implanted on systems, leading to the exposure of customer financial data including cardholder names, card numbers, expiration dates, and internal verification codes.

See also: 250 Hyatt hotels infected last year with payment data stealing malware

A second data breach occurred in 2017, in which 41 locations were affected and unauthorized access to payment card information was detected.

Chicago-based Hyatt Hotels manages over 750 properties in 55 countries.
Other organizations that use HackerOne to tap into a vast pool of security researchers include Google, Twitter, the US Department of Defense, GitHub, and Qualcomm.

CES 2019: The best tech, gadgets on show (so far)

Previous and related coverage

Editorial standards