Hyatt Hotels launches bug bounty programme
The company turns to external help to prevent data breaches from ever affecting its properties again, says report
A report by online portal ZD Net has said that “Hyatt Hotels has launched a bug bounty program in light of recent card-skimming attacks against the hospitality chain.”
Reportedly, the company said the new initiative will be hosted on bug bounty programme HackerOne and is designed to allow Hyatt to "tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities".
Ethical hackers can use the platform -- as well as rival services such as Bugcrowd -- to report vulnerabilities, security flaws, leaky servers and more before less well-intentioned individuals stumble across them, potentially leading to cyberattacks or data theft, said the report.
The bug bounty programme is public and includes the main hyatt.com domain, m.hyatt.com, world.hyatt.com, and both the iOS and Android Hyatt mobile apps.
Novel origin IP address discovery, authentication bypass, back-end system access via front-end services, container escapes, SQL injections, cross-site request forgery, WAF bypass, and cross-site scripting (XSS) bugs will all be considered for rewards, among other issues.
Speaking to ZD Net, Benjamin Vaughn, Hyatt chief information security officer, said: "At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day. “
The report noted that in a Q&A with HackerOne, Vaughn said an invitation-only program was launched first, which may account for the $5,650 in bug bounty rewards which have already been issued at the time of writing.
“It is unfortunately quite common for hotel chains and others in the hospitality space to become the focus of cyberattacks due to the vast amount of valuable data these businesses process and store,” said the report.
ZD Net also pointed out that “Hard Rock Hotels & Casinos, Loews Hotels, Radisson Hotel Group, the Trump Hotel Collection, Marriott, and Hyatt Hotels itself is on the list of organizations which have experienced successful cyberattacks in recent years.”