Why Hyatt Is Launching a Public Bug Bounty Program | eWeek

Why Hyatt Is Launching a Public Bug Bounty Program

hackerone-hyatt
Jan 10, 2019
4 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

There are a lot of different things that a global hotel organization like Hyatt does to keep it operations running smoothly. One of them is maintaining the best cyber-security it can, and that’s an effort that now involves the use of a public bug bounty program, managed by HackerOne.

Hyatt officially announced on Jan. 9 that it is launching a public bug bounty program to improve the security of its operations. A bug bounty program is an effort where security researchers are rewarded for identifying and responsibly disclosing software vulnerabilities. With the bug bounty program, rather than just relying on its own IT security staff to find flaws, Hyatt now benefits from a larger community of active researchers who are looking for vulnerabilities.

The launch of Hyatt’s public bug bounty programs comes at an interesting time, as it follows the disclosure of a vulnerability in rival hotel operator Marriott’s Starwood chain, which exposed personal data on approximately 383 million individuals.


Hyatt has engaged with managed bug bounty program provider HackerOne, which one of a number of organizations, including Bugcrowd and Synack, that offer bug bounty programs. According to the HackerOne 2018 Hacker-Powered Security Report that was released in July 2018, the volume of critical bug bounty reports has been increasing in recent years, as researchers continue to find serious issues in application software.

While Hyatt officially launched its public bug bounty program on Jan. 9, it had been running a private invitation-only program on HackerOne for several months in late 2018. HackerOne CEO Marten Mickos told eWEEK that to date, Hyatt hasn’t disclosed any specific bugs that were found via the private bug bounty program. That said, he noted that the publicly viewable “Hacktivity” page shows that 14 vulnerabilities have been resolved with a total of $5,650 in awards paid out during the private program period.

With a private bug bounty program, only an invited subset of researchers are able to participate. By going public, Hyatt is enabling anyone who registers on HackerOne to participate in the effort to identify flaws. As to why Hyatt decided to make its bug program public now, weeks after the Marriott disclosure, Mickos provided some insight.

“We work long term and strategically with our customers, and programs are launched based on when is best for our customer, not based on external events,” he said. “As a general rule, every organization should welcome security input from hackers, and the more open the program is, the more benefit it will bring.”


Public Bug Bounty Program

Among the most noteworthy aspects of the Hyatt bug bounty program is the fact that it is the first hotel chain to have such a cyber-security effort.

“Hyatt takes the security of our guests and colleagues very seriously,” the program page for the public Hyatt bug bounty states. “By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.”

As is the case with all bug bounty programs, there is a range of awards that Hyatt will pay based on the impact of the submitted flaw. A submitted report with low impact will earn a researcher a $300 award, while the most critical types of issues will earn up to a $4,000 award. The program is also not a free-for-all, and includes a defined set of Hyatt assets that are considered within scope of the program. Those assets include Hyatt websites (hyattt.com, world.hyatt.com) as well as the company’s mobile applications on both iOS and Android.

The Hyatt bug bounty program prohibits the use of social engineering tactics for the program. Social engineering could include the use of phishing emails to trick a user to click on something malicious as well as fraudulent voice phone calls. Additionally, the program does not include point-of-sale (PoS) terminals at the hotel. PoS attacks at hotel chains have led to data breaches at multiple hotels in the past, including a 2015 incident in hotels operated by Hyatt.

“As we see it, every launch of a new program, even a small one, brings improvement to the state of security of the internet, and every expansion of scope enhances those benefits,” Mickos said. “There are always detailed technical and other considerations that go into the choice of what’s in scope and what’s not.”

Mickos added that it is quite natural to start in one place and then successively expand the program over time. He noted that even if an expansion would not happen, the fact that some part of the digital assets is in a bug bounty program will typically free up internal security resources to focus testing on the parts that are not in scope. In that way, security improves across the board.

While Hyatt is among the first global hospitality organizations to have a public bug bounty program, Mickos is optimistic that it won’t be the last.

“We agree with the leading CISOs and government officials who have stated that it is tantamount to cyber-security negligence not to welcome vulnerability input from the external world,” he said. “In line with that principle, we hope that every hotel and hospitality company will reduce their cyber-risk by launching vulnerability disclosure or bug bounty programs. This will be a welcome improvement for all of society.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.