Grand Hyatt Manila, Bonifacio Global City, Taguig City, Metro Manila, Philippines. (EKU)
REMEMBER the massive hacking revealed in November 2018 of a global major hotel chain involving data of its 500 million guests?
That was Marriott and its Starwood Hotels.
Before something like that could happen to them, Hyatt, another of the world’s major hotel chains, is doing what none has done before in the hospitality industry.
Here’s a press statement send to SDN — Science and Digital News regarding Hyatt‘s offering of a public bug bounty program to better protect millions of global guests from cyber threats.
Through HackerOne, ethical hackers (“white hat”) from around the world can earn cash rewards if they report valid security flaws on Hyatt.com, m.hyatt.com, world.hyatt.com, and the iOS and Android apps.
Hyatt Hotels Corporation and its affiliates (“Hyatt”) comprise one of the world’s largest hospitality brands with more than 750 properties in more than 55 countries. Those properties and their more than 100,000 colleagues have hosted millions of guests around the globe. That all amounts to a lot of data to protect and defend on a daily basis.
On January 16 Hyatt launched its first public bug bounty program at HackerOne. To learn more about Hyatt’s program and the company’s commitment to security, McGallen and Bolden sat down for a Q&A with Hyatt’s Chief Information Security Officer (CISO) Benjamin Vaughn.
Q: Why did Hyatt launch a bug bounty program?
A: Hyatt’s purpose – we care for people so they can be their best – guides every decision we make, and protecting the information we receive from our guests is a key part of bringing our purpose to life. Our cyber security department is consistently identifying new ways to further enhance our security and we believe a bug bounty program is a great way to look to the security research community for their expertise. The security of our guests and colleagues is our top priority, and Hyatt will continue to do everything we can to protect their information.
Q: Is this Hyatt’s first bug bounty program? If not, what were the results of the private program?
A: Following the recommendations of HackerOne, Hyatt ran an invitation-only version of the program for some time. We were very pleased with the results of the private program and this helped inform our decision to launch the program publicly.
Q: What Hyatt channels are available for hackers to test?
A: Hyatt.com, world.hyatt.com, Hyatt mobile app (iOS and Android versions), and m.hyatt.com are available for testing. Full scope and guidance is available on our program page: https://hackerone.com/hyatt.
Q: Why did Hyatt choose HackerOne to manage its program? Did the Hyatt security team evaluate other vendors?
A: Hyatt conducted a review of the bug bounty marketplace and also evaluated the merits of operating our own program. Based on the results of that review, we selected HackerOne, and we look forward to working with the HackerOne community. We chose HackerOne specifically because of their robust platform, integration possibilities and clear rating system for vulnerabilities.
Q: Anything to say directly to the hacker community?
A: We thank the participants of our private program for their assistance and ask any new participants to stay in touch with us as they perform their research. Our best advice for the hacker community is to dive deep and discover interesting vulnerabilities. We are impressed when we receive creative vulnerabilities. We will be there to help! (McGallen and Bolden)
Details on the program and bounty rewards can be found at https://hackerone.com/hyatt.