Tripadvisor Brief Bugcrowd
Tripadvisor Brief Bugcrowd
Tripadvisor Brief Bugcrowd
We look forward to
working with you to keep TripAdvisor secure.
Guidelines
Note that if these are not followed, your submission will be considered as Out-of-
Scope.
Ratings/Rewards:
For the initial prioritization/rating of findings, this program will use the Bugcrowd
Vulnerability Rating Taxonomy. However, it is important to note that in some cases a
vulnerability priority will be modified due to its likelihood or impact. In any instance
where an issue is downgraded, a full, detailed explanation will be provided to the
researcher - along with the opportunity to appeal, and make a case for a higher
priority.
Targets
In scope
Target Name
Any publicly accessible TripAdvisor web asset or host (domains, ip space, etc) - except for what
Test Properties:
Please only use the following properties when performing testing.
Test Hotels
Test Hotel 1
Test Hotel 2
Test Rental 1
Test Rental 2
Test Rental 3
Test Restaurants
Test Restaurant 1
Test Restaurant 2
Test Attractions
Test Attraction
Out-of-Scope
Sites owned by TripAdvisor Media Group but operate independently such as
SmarterTravel, Viator, LaForchette, etc.
Domains owned by TripAdvisor but operated by third parties in order to provide a
service to TripAdvisor are out of scope.
For example, click.e.tripadvisor.com is a domain owned by TripAdvisor but operated
by ExactTarget in order to track clicks from emails we send via their platform, and is
thus out-of-scope.
However, rd.deals.tripadvisor.com is a domain owned by TripAdvisor but operated by
JetSetter and is in scope because JetSetter is a TAMG company (not a third party).
Sites hosted in the cloud may or may not be in-scope. It will depend on who is
operating the application (3rd party or TA) and if it's providing a service as part of a
larger offering as opposed to just hosting an application developed for TripAdvisor
(an example of something OOS would be SaaS apps such as Zendesk that may be
leveraged by TA, but are not running custom-built code expressly for TA).
Partial list of sites that are out of scope as a result of this
rule: *.e.tripadvisor.*, ir.tripadvisor.com, t1.tacdn.com
This exclusion does not apply to domains being served via third party Content
Delivery Networks such as Akamai and Edgecast. These domains are in-scope but the
third party systems they traverse are not.
Content fraud such as inflating or deflating a property's rating, insertion of bogus
properties within the listings or raising the helpful vote count of a review.
Exploits around mass content submission, account creation or spamming.
Disruption of service either through DOS attacks, exploitation of performance
problems, or trying to fill up a database.
Social engineering attacks.
Attacks requiring physical access to TripAdvisor locations or property,
Exploits against mobile applications requiring physical access to the device or that
require warranty voiding actions (e.g., rooting the device).
Exploits against the site from webviews within mobile applications NOT published by
TripAdvisor.
flights.tripadvisor.com
ir.tripadvisor.com
t1.tacdn.com, and any other CDN network issues. TripAdvisor specific content on
CDNs in scope.
*.gateguru.*, gateguru.herokuapp.com, *.gateguruapp.*
*.e1.tripadvisor.*, *.e2.tripadvisor.*, *.e3.tripadvisor.*, *.e4.tripadvisor.*
jg.corp.tripadvisor.com
engineering.tripadvisor.com, & blog.tripadvisor.com.
tripadvisor.com/engineering, and any other aliases to out of scope sub-domains.
*.citymaps.com, *.citymaps.io, *.ctym.ps, & all related citymaps domains
www.virtualtourist.com (vtourist.com, virtualtourist.fr, virtualtouriste.fr)
*.tripbod.com
rentals.tripadvisor.com, *.housetrip.com, *.niumba.com,\
*.holidaylettings.co.uk,*.holidaylettings.com, *.flipkey.com, bm.niumba.com,
bm.housetrip.com, bm.flipkey.com, bm.holidaylettings.co.uk and TripAdvisor Owner
App
*.toursgds.com, viatorinc.com, *.viatorcom.se, *.viatorcom.no, *.viatorcom.nl,
*.viator.com, *.viatorcom.fr, *.viatorcom.de,
https://viatorapi.viator.com/service/directory, and Viator Tours & Activities for iOS
and Android
All Smarter Travel domains, including but not limited to:
*.smartertravel.com \ *. jetsetter.com \ *.tingo.com \ *.cruisecritic.co.uk \
*.cruisecritic.com \ *.familyvacationcritic.com \ *.independenttraveler.com \
*.holidaywatchdog.com \ *.holidaylettings.co.uk \ *.airfarewatchdog.com \
*.onetime.com \ *.oyster.com \ *.virtualtourist.com \ *.bookingbuddy.com \
*.smartertravel.net
All La Fourchette domains, including but not limited to:
*.thefork.com \ *.theforkmanager.com \ *.lafourchette.com \ *.myfourchette.com \
*.bloglafourchette.com \ *.eltenedor.es \ *couverts.nl \ *.dimmi.com.au \ *.mytable.it \
*.iens.nl \ *.eatigo.com
All Viator domains.
Domains owned by companies for which TAMG only has a minority investment in.
Including, but not limited to, traxo.com. If in doubt as to whether a target applies here,
please create a submission asking if the particular app/target is in or out of scope.
Safe Harbor:
When conducting vulnerability research according to this policy, we consider
this research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or
similar state laws), and we will not initiate or support legal action against you for
accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a
claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with
conducting security research, and we waive those restrictions on a limited basis for
work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is
consistent with this policy, please submit a report through this program, or inquire via
[email protected] before going any further.
Program rules
This program follows Bugcrowd’s standard disclosure terms.