In the wake of the massive data breach suffered by Marriott, Hyatt has announced that it will launch a bug bounty program in partnership with HackerOne, making it the first major hotel chain in the world to have a public bug bounty program.
“By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers,” Hyatt stated in its program policy.
With the goal of better protecting its millions of global guests from cyber threats, the Hyatt program will engage with researchers around the globe, offering them the chance to earn cash rewards for reporting valid security flaws on Hyatt.com, m.hyatt.com, world.hyatt.com, and the iOS and Android versions of the Hyatt mobile app.
“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt chief information security officer Benjamin Vaughn in a press release. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”
Security researchers can earn $4,000 for critical vulnerabilities and $1,200 for each high vulnerability reported, while those deemed medium will be awarded $600 and low vulnerabilities will be paid $300. To date, Hyatt has paid a total of $5,650 bounties, with the average bounty worth between $150–300.
Hyatt only accepts disclosures from HackerOne researchers, and the vulnerability reports must meet all of the established requirements and contain “original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and/or availability of the services in scope.”