Vulnerability Disclosure Policy

Keeping traveller’s information safe and secure is a top priority and a core company value for us at Skyscanner. We welcome the contribution of external security researchers and look forward to rewarding them for their invaluable contribution to the security of all Skyscanner travellers.

For the past few years, we’ve run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep travellers safe when using Skyscanner.

We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief. 

To submit a vulnerability you’ve found, you will first need to sign up for free as a Bugcrowd researcher and then submit your findings directly to our programme. We won’t consider any vulnerabilities submitted outside of Bugcrowd. 

Guidelines

We encourage thorough proof-of-concept/replication of the bug, including videos, images, and a description of the business impact. These will all factor into our bounty decision-making process.

To promote the discovery and reporting of vulnerabilities and increase traveller safety, we ask that you:

  • share the security issue with us in detail
  • understand that all valid reports will be taken seriously by our engineering teams
  • act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service)
  • comply with all applicable laws

We will only reward the first report of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behaviour.

We will not negotiate in response to duress or threats (e.g. we will not negotiate the payout amount under threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public).

Expectations

We expect researchers to follow the program rules:

Researchers must:

  • add the following header to all HTTP requests: Skyscanner-Security: Bugcrowd
  • use your username@bugcrowdninja.com email address for accounts
  • not access or modify our, or our travellers’ data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
  • contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
  • perform testing and research only within the areas that are in scope 
  • follow the Bugcrowd Coordinated Disclosure rules

In addition, we count the following activities as strictly prohibited, and thus not rewardable. These are in addition to the Bugcrowd Vulnerability Rating Taxonomy:

  • Social Engineering attacks
  • DDoS
  • Use of automated vulnerability / scanning tools
  • Please do not spam forms or account creation flows using automated scanners
  • We have a number of rate limits in place that may result in your IP address being blocked if you use such tools
  • Any testing of corporate email (*@skyscanner.net)

We are under no obligation to payout for any bugs that are not submitted in accordance with this policy or any of the Bugcrowd policies. We reserve the right to withdraw this scheme at any time and shall have no obligation to payout for any bugs submitted after closure of the scheme. We reserve the right to deduct a 10% penalty on valid and accepted submissions that do not follow the guidelines mentioned above. Following the guidelines will help us triage the vulnerability more effectively from our side, which should result in faster processing of the submission.