Why Hyatt Is Launching a Public Bug Bounty Program

Weeks after Marriott disclosed a massive data breach at its Starwood Hotels division, rival hotel chain Hyatt announces a new effort to help improve cyber-security.


There are a lot of different things that a global hotel organization like Hyatt does to keep it operations running smoothly. One of them is maintaining the best cyber-security it can, and that's an effort that now involves the use of a public bug bounty program, managed by HackerOne.

Hyatt officially announced on Jan. 9 that it is launching a public bug bounty program to improve the security of its operations. A bug bounty program is an effort where security researchers are rewarded for identifying and responsibly disclosing software vulnerabilities. With the bug bounty program, rather than just relying on its own IT security staff to find flaws, Hyatt now benefits from a larger community of active researchers who are looking for vulnerabilities.

The launch of Hyatt's public bug bounty programs comes at an interesting time, as it follows the disclosure of a vulnerability in rival hotel operator Marriott's Starwood chain, which exposed personal data on approximately 383 million individuals.

Hyatt has engaged with managed bug bounty program provider HackerOne, which one of a number of organizations, including Bugcrowd and Synack, that offer bug bounty programs. According to the HackerOne 2018 Hacker-Powered Security Report that was released in July 2018, the volume of critical bug bounty reports has been increasing in recent years, as researchers continue to find serious issues in application software.

While Hyatt officially launched its public bug bounty program on Jan. 9, it had been running a private invitation-only program on HackerOne for several months in late 2018. HackerOne CEO Marten Mickos told eWEEK that to date, Hyatt hasn’t disclosed any specific bugs that were found via the private bug bounty program. That said, he noted that the publicly viewable "Hacktivity" page shows that 14 vulnerabilities have been resolved with a total of $5,650 in awards paid out during the private program period.

With a private bug bounty program, only an invited subset of researchers are able to participate. By going public, Hyatt is enabling anyone who registers on HackerOne to participate in the effort to identify flaws. As to why Hyatt decided to make its bug program public now, weeks after the Marriott disclosure, Mickos provided some insight.

"We work long term and strategically with our customers, and programs are launched based on when is best for our customer, not based on external events," he said. "As a general rule, every organization should welcome security input from hackers, and the more open the program is, the more benefit it will bring."

Public Bug Bounty Program

Among the most noteworthy aspects of the Hyatt bug bounty program is the fact that it is the first hotel chain to have such a cyber-security effort.

"Hyatt takes the security of our guests and colleagues very seriously," the program page for the public Hyatt bug bounty states. "By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers."

As is the case with all bug bounty programs, there is a range of awards that Hyatt will pay based on the impact of the submitted flaw. A submitted report with low impact will earn a researcher a $300 award, while the most critical types of issues will earn up to a $4,000 award. The program is also not a free-for-all, and includes a defined set of Hyatt assets that are considered within scope of the program. Those assets include Hyatt websites (hyattt.com, world.hyatt.com) as well as the company's mobile applications on both iOS and Android.

The Hyatt bug bounty program prohibits the use of social engineering tactics for the program. Social engineering could include the use of phishing emails to trick a user to click on something malicious as well as fraudulent voice phone calls. Additionally, the program does not include point-of-sale (PoS) terminals at the hotel. PoS attacks at hotel chains have led to data breaches at multiple hotels in the past, including a 2015 incident in hotels operated by Hyatt.

"As we see it, every launch of a new program, even a small one, brings improvement to the state of security of the internet, and every expansion of scope enhances those benefits," Mickos said. "There are always detailed technical and other considerations that go into the choice of what’s in scope and what’s not."

Mickos added that it is quite natural to start in one place and then successively expand the program over time. He noted that even if an expansion would not happen, the fact that some part of the digital assets is in a bug bounty program will typically free up internal security resources to focus testing on the parts that are not in scope. In that way, security improves across the board.

While Hyatt is among the first global hospitality organizations to have a public bug bounty program, Mickos is optimistic that it won't be the last.

"We agree with the leading CISOs and government officials who have stated that it is tantamount to cyber-security negligence not to welcome vulnerability input from the external world," he said. "In line with that principle, we hope that every hotel and hospitality company will reduce their cyber-risk by launching vulnerability disclosure or bug bounty programs. This will be a welcome improvement for all of society."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.