Hotel group launches its own vulnerability bounty program

Hyatt Hotels will begin collaboration with external experts to avoid incidents that may affect its customers’ personal data

Network security and ethical hacking specialists from the International Institute of Cyber Security reported that Hyatt Hotels has announced the implementation of its own vulnerability bounty program, after suffering a payment card information theft incident.

The company reported in recent days that this initiative will be carried out in collaboration with the bounty program platform HackerOne, as well as adding that it will be designed to make Hyatt Hotels “take advantage of the broad experience of the cybersecurity community to identify and address potential vulnerabilities before they affect clients”.

“At Hyatt, protecting all of our customers’ data is one of our priorities, so launching this bounty program means a huge step to keeping our guests information always safe”, stated Benjamin Vaughn , IT manager at the hotel chain.

Experts in network security, ethical hacking, etc., will be able to use the HackerOne platform to report vulnerabilities, security bugs, server leaks and any other similar incidents before malicious hackers enter the scene, preventing any data theft or any other cyberattack.

This program will be public and researchers will be able to work to report vulnerabilities in multiple domains owned by the hotel group, such as,,, as well as their mobile applications for iOS and Android operating systems.

This program will consider for rewards the reports of authentication omission vulnerabilities, SQL injections, fake queries sending, cross-site scripting, among others. Regarding the evaluation of the reports, the company has opted for the use of the Common Vulnerability Scoring Standard (CVSS) to determine the severity of the reported vulnerabilities.

According to network security experts, reports of vulnerabilities considered critical will receive a payment of up to $4k USD. Errors considered medium severity could receive up to $1.2k USD, while the most common flaw reports will receive between $300 and $600 USD.

In recent years, hotel chains and other similar businesses have become one of the cybercriminals’ favorite targets due to the large amount of sensitive information these businesses process and store every day. Companies such as Radisson Hotel Group, Marriott, and Hyatt Hotels itself are some of the most relevant cyberattack victims.

In 2015, 250 properties managed by Hyatt in countries like the United States, United Kingdom, China, Germany, Japan, Italy, France, Russia and Canada were the subject of a cyberattack. In the incident, information theft malware was injected into the company’s systems to extract information from their customers’ payment cards.