Hyatt launches public bug bounty program

It's one of the first bug bounty programs by a major hospitality brand.

Global hospitality chain Hyatt Hotels announced Wednesday that it’s launching a public bug bounty program through HackerOne, offering monetary prizes for security researchers to probe its websites and apps for leaky features and vulnerabilities that could be exploited by hackers.

The company is now looking to crowdsource vulnerability testing from of a field of ethical hackers through HackerOne’s platform. Covered in the bug bounty program are the websites,, and Hyatt’s Android and iOS apps.

“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” Benjamin Vaughn, Hyatt’s chief information security officer, in a press release.

Hyatt’s bounties range from $300 to $4,000, based on the severity of bugs security researchers discover. The participants, of course, have to agree to ethical hacking terms like not collecting personally identifiable information or launching denial of service attacks on Hyatt.


“Our best advice for the hacker community is to dive deep and discover interesting vulnerabilities. We are impressed when we receive creative vulnerabilities,” Vaughn said in a Q&A with HackerOne.

The CISO said Hyatt had for a while been testing the waters with the bug bounty concept through an invitation-only program, before deciding to launch the public one. The company appears to have paid out $5,650 in bounties through the trial run, according to its HackerOne page.

Hyatt says this is one of the first bug bounty programs by a major hospitality chain. It may have other big hotel brands beat there, but Airbnb has had a program with HackerOne since 2015.

The timing of the announcement might seem opportune, with major competitor Marriott recovering from a giant breach it disclosed just over a month ago. But it’s worth noting that Hyatt has had its own big cybersecurity run-ins in recent years.

Hyatt customer payment data at 41 properties was exposed to an unauthorized party for more than three months in 2017. For about four months in 2015, the company suffered from card-skimming malware at 250 properties in 50 countries.


“In today’s connected society, vulnerabilities will always be present. Organizations like Hyatt are leading the way by taking this essential step to secure the data they are trusted to hold,” said HackerOne CEO Marten Mickos in a press release.

HackerOne runs bug bounty and vulnerability disclosure programs for many companies and the U.S. government, competing with similar platforms like Bugcrowd and Synack.

Latest Podcasts