Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Why Hyatt Is Launching a Public Bug Bounty Program

    By
    Sean Michael Kerner
    -
    January 10, 2019
    Share
    Facebook
    Twitter
    Linkedin
      hackerone-hyatt

      There are a lot of different things that a global hotel organization like Hyatt does to keep it operations running smoothly. One of them is maintaining the best cyber-security it can, and that’s an effort that now involves the use of a public bug bounty program, managed by HackerOne.

      Hyatt officially announced on Jan. 9 that it is launching a public bug bounty program to improve the security of its operations. A bug bounty program is an effort where security researchers are rewarded for identifying and responsibly disclosing software vulnerabilities. With the bug bounty program, rather than just relying on its own IT security staff to find flaws, Hyatt now benefits from a larger community of active researchers who are looking for vulnerabilities.

      The launch of Hyatt’s public bug bounty programs comes at an interesting time, as it follows the disclosure of a vulnerability in rival hotel operator Marriott’s Starwood chain, which exposed personal data on approximately 383 million individuals.

      Hyatt has engaged with managed bug bounty program provider HackerOne, which one of a number of organizations, including Bugcrowd and Synack, that offer bug bounty programs. According to the HackerOne 2018 Hacker-Powered Security Report that was released in July 2018, the volume of critical bug bounty reports has been increasing in recent years, as researchers continue to find serious issues in application software.

      While Hyatt officially launched its public bug bounty program on Jan. 9, it had been running a private invitation-only program on HackerOne for several months in late 2018. HackerOne CEO Marten Mickos told eWEEK that to date, Hyatt hasn’t disclosed any specific bugs that were found via the private bug bounty program. That said, he noted that the publicly viewable “Hacktivity” page shows that 14 vulnerabilities have been resolved with a total of $5,650 in awards paid out during the private program period.

      With a private bug bounty program, only an invited subset of researchers are able to participate. By going public, Hyatt is enabling anyone who registers on HackerOne to participate in the effort to identify flaws. As to why Hyatt decided to make its bug program public now, weeks after the Marriott disclosure, Mickos provided some insight.

      “We work long term and strategically with our customers, and programs are launched based on when is best for our customer, not based on external events,” he said. “As a general rule, every organization should welcome security input from hackers, and the more open the program is, the more benefit it will bring.”

      Public Bug Bounty Program

      Among the most noteworthy aspects of the Hyatt bug bounty program is the fact that it is the first hotel chain to have such a cyber-security effort.

      “Hyatt takes the security of our guests and colleagues very seriously,” the program page for the public Hyatt bug bounty states. “By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers.”

      As is the case with all bug bounty programs, there is a range of awards that Hyatt will pay based on the impact of the submitted flaw. A submitted report with low impact will earn a researcher a $300 award, while the most critical types of issues will earn up to a $4,000 award. The program is also not a free-for-all, and includes a defined set of Hyatt assets that are considered within scope of the program. Those assets include Hyatt websites (hyattt.com, world.hyatt.com) as well as the company’s mobile applications on both iOS and Android.

      The Hyatt bug bounty program prohibits the use of social engineering tactics for the program. Social engineering could include the use of phishing emails to trick a user to click on something malicious as well as fraudulent voice phone calls. Additionally, the program does not include point-of-sale (PoS) terminals at the hotel. PoS attacks at hotel chains have led to data breaches at multiple hotels in the past, including a 2015 incident in hotels operated by Hyatt.

      “As we see it, every launch of a new program, even a small one, brings improvement to the state of security of the internet, and every expansion of scope enhances those benefits,” Mickos said. “There are always detailed technical and other considerations that go into the choice of what’s in scope and what’s not.”

      Mickos added that it is quite natural to start in one place and then successively expand the program over time. He noted that even if an expansion would not happen, the fact that some part of the digital assets is in a bug bounty program will typically free up internal security resources to focus testing on the parts that are not in scope. In that way, security improves across the board.

      While Hyatt is among the first global hospitality organizations to have a public bug bounty program, Mickos is optimistic that it won’t be the last.

      “We agree with the leading CISOs and government officials who have stated that it is tantamount to cyber-security negligence not to welcome vulnerability input from the external world,” he said. “In line with that principle, we hope that every hotel and hospitality company will reduce their cyber-risk by launching vulnerability disclosure or bug bounty programs. This will be a welcome improvement for all of society.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×