Scribd Logo
Upload

Welcome to Scribd!

  • 85 views

    Tripadvisor Brief Bugcrowd

    Uploaded by

    Karel Goldmann

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    Tripadvisor Brief Bugcrowd

    Uploaded by

    Karel Goldmann
    85 views5 pages

    Original Title

    tripadvisor_brief_bugcrowd.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    85 views5 pages

    Tripadvisor Brief Bugcrowd

    Uploaded by

    Karel Goldmann

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 5

    Thank you in advance for your contributions to our program!

    We look forward to
    working with you to keep TripAdvisor secure.

    Guidelines
    Note that if these are not followed, your submission will be considered as Out-of-
    Scope.

     When performing an action specific to a property or location, please use test


    properties where possible. If the behavior you are trying to test is unreachable, you
    may use real properties; but please refrain from doing so unless absolutely necessary.
    This is especially true when posting content.
     Vacation rental inquiries are only permissible on test properties (see below)
     Hotel Q/A questions should only be done on test properties (see below)
     When writing reviews, or other forms of user generated content, on real
    properties, do not include any text which a user may mistake for real
    content. Also, do not include any inappropriate content, such as swear words. As
    required, use a bubble rating that matches the overall rating of the property. All test
    UGC (User Generated Content) submitted should be removed from the live site
    as soon as practical once the test is complete
     Adding new listings is permissible, but with the same restrictions as reviews
     Similarly, if uploading photos, the photos should not be mistakable for actual photos
    of the property and should not be inappropriate
     Do not add any content in Italy, France, or the UK (Great Britain, N. Ireland, Scotland)
     Do not mark reviews helpful or report them as inappropriate except on test
    properties
     Do not contact other users of the site
     Booking hotel rooms is permissible, but be aware of the cancellation policies and
    cancel as soon as possible
     Reserving restaurant tables is permissible, but be sure to use a valid email address
    and cancel the reservation immediately
     Do reservations sparingly since restaurants are often small businesses with very
    limited inventory
     Do not reserve multiple tables in the same restaurant and be sure to make
    reservations for at least 4 weeks in the future

    Ratings/Rewards:
    For the initial prioritization/rating of findings, this program will use the Bugcrowd
    Vulnerability Rating Taxonomy. However, it is important to note that in some cases a
    vulnerability priority will be modified due to its likelihood or impact. In any instance
    where an issue is downgraded, a full, detailed explanation will be provided to the
    researcher - along with the opportunity to appeal, and make a case for a higher
    priority.

    This program only awards points for submissions.

    Targets
    In scope
    Target Name
    Any publicly accessible TripAdvisor web asset or host (domains, ip space, etc) - except for what

    Test Properties:
    Please only use the following properties when performing testing.

    Test Hotels

     Test Hotel 1
     Test Hotel 2

    Test Vacation Rentals

     Test Rental 1
     Test Rental 2
     Test Rental 3

    Test Restaurants

     Test Restaurant 1
     Test Restaurant 2

    Test Attractions

     Test Attraction

    Out-of-Scope
     Sites owned by TripAdvisor Media Group but operate independently such as
    SmarterTravel, Viator, LaForchette, etc.
     Domains owned by TripAdvisor but operated by third parties in order to provide a
    service to TripAdvisor are out of scope.
     For example, click.e.tripadvisor.com is a domain owned by TripAdvisor but operated
    by ExactTarget in order to track clicks from emails we send via their platform, and is
    thus out-of-scope.
     However, rd.deals.tripadvisor.com is a domain owned by TripAdvisor but operated by
    JetSetter and is in scope because JetSetter is a TAMG company (not a third party).
     Sites hosted in the cloud may or may not be in-scope. It will depend on who is
    operating the application (3rd party or TA) and if it's providing a service as part of a
    larger offering as opposed to just hosting an application developed for TripAdvisor
    (an example of something OOS would be SaaS apps such as Zendesk that may be
    leveraged by TA, but are not running custom-built code expressly for TA).
     Partial list of sites that are out of scope as a result of this
    rule: *.e.tripadvisor.*, ir.tripadvisor.com, t1.tacdn.com
     This exclusion does not apply to domains being served via third party Content
    Delivery Networks such as Akamai and Edgecast. These domains are in-scope but the
    third party systems they traverse are not.
     Content fraud such as inflating or deflating a property's rating, insertion of bogus
    properties within the listings or raising the helpful vote count of a review.
     Exploits around mass content submission, account creation or spamming.
     Disruption of service either through DOS attacks, exploitation of performance
    problems, or trying to fill up a database.
     Social engineering attacks.
     Attacks requiring physical access to TripAdvisor locations or property,
     Exploits against mobile applications requiring physical access to the device or that
    require warranty voiding actions (e.g., rooting the device).
     Exploits against the site from webviews within mobile applications NOT published by
    TripAdvisor.

    Out of Scope Domains

     flights.tripadvisor.com
     ir.tripadvisor.com
     t1.tacdn.com, and any other CDN network issues. TripAdvisor specific content on
    CDNs in scope.
     *.gateguru.*, gateguru.herokuapp.com, *.gateguruapp.*
     *.e1.tripadvisor.*, *.e2.tripadvisor.*, *.e3.tripadvisor.*, *.e4.tripadvisor.*
     jg.corp.tripadvisor.com
     engineering.tripadvisor.com, & blog.tripadvisor.com.
     tripadvisor.com/engineering, and any other aliases to out of scope sub-domains.
     *.citymaps.com, *.citymaps.io, *.ctym.ps, & all related citymaps domains
     www.virtualtourist.com (vtourist.com, virtualtourist.fr, virtualtouriste.fr)
     *.tripbod.com
     rentals.tripadvisor.com, *.housetrip.com, *.niumba.com,\
    *.holidaylettings.co.uk,*.holidaylettings.com, *.flipkey.com, bm.niumba.com,
    bm.housetrip.com, bm.flipkey.com, bm.holidaylettings.co.uk and TripAdvisor Owner
    App
     *.toursgds.com, viatorinc.com, *.viatorcom.se, *.viatorcom.no, *.viatorcom.nl,
    *.viator.com, *.viatorcom.fr, *.viatorcom.de,
    https://viatorapi.viator.com/service/directory, and Viator Tours & Activities for iOS
    and Android
     All Smarter Travel domains, including but not limited to:
     *.smartertravel.com \ *. jetsetter.com \ *.tingo.com \ *.cruisecritic.co.uk \
    *.cruisecritic.com \ *.familyvacationcritic.com \ *.independenttraveler.com \
    *.holidaywatchdog.com \ *.holidaylettings.co.uk \ *.airfarewatchdog.com \
    *.onetime.com \ *.oyster.com \ *.virtualtourist.com \ *.bookingbuddy.com \
    *.smartertravel.net
     All La Fourchette domains, including but not limited to:
     *.thefork.com \ *.theforkmanager.com \ *.lafourchette.com \ *.myfourchette.com \
    *.bloglafourchette.com \ *.eltenedor.es \ *couverts.nl \ *.dimmi.com.au \ *.mytable.it \
    *.iens.nl \ *.eatigo.com
     All Viator domains.
     Domains owned by companies for which TAMG only has a minority investment in.
    Including, but not limited to, traxo.com. If in doubt as to whether a target applies here,
    please create a submission asking if the particular app/target is in or out of scope.

    Safe Harbor:
    When conducting vulnerability research according to this policy, we consider
    this research to be:

     Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or
    similar state laws), and we will not initiate or support legal action against you for
    accidental, good faith violations of this policy;
     Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a
    claim against you for circumvention of technology controls;
     Exempt from restrictions in our Terms & Conditions that would interfere with
    conducting security research, and we waive those restrictions on a limited basis for
    work done under this policy; and
     Lawful, helpful to the overall security of the Internet, and conducted in good faith.
     You are expected, as always, to comply with all applicable laws.
    If at any time you have concerns or are uncertain whether your security research is
    consistent with this policy, please submit a report through this program, or inquire via
    [email protected] before going any further.

    Program rules
    This program follows Bugcrowd’s standard disclosure terms.

    You might also like