Traveloka is committed to keep its services safe for everyone, which is why data security is our utmost priority. Traveloka welcomes any contributions and information by security researchers who find various types of security vulnerabilities seen in our services, in which case we would be appreciative if you would privately disclose your findings to us. Traveloka offers a bounty or reward to these external security researchers for their invaluable contribution in improving security at Traveloka.
Traveloka will not take any legal action against security researchers who report a vulnerability as long as they comply to the Traveloka bug bounty rules. We appreciate your efforts and hard work in making the internet (and Traveloka) more secure and look forward to working with the researcher community to create a meaningful and successful bug bounty program.
Currently, we manage our private bug bounty program on Bugcrowd. If you wish you to get the invitation, please send valid vulnerability details to firstname.lastname@example.org.
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Traveloka not listed in the targets section is out of scope. This includes any/all subdomains not listed above. However, if you find a security issue other than in our main application and you believe that the issue has a serious impact, feel free to report to us so we can assess the risks to determine the bounty eligibility.
Business logic flaws
Generic web security flaws
Mobile app client-side vulnerabilities
Web app client-side vulnerabilities such as XSS must be exploitable in the latest version of major internet browser.
Mobile app client-side vulnerabilities such as insecure deeplink must be exploitable in the latest version of Traveloka mobile app. Please note that not all insecure deeplinks/IPCs are eligible for bounty.
In general, client-side vulnerabilities can be eligible for bounty if the likelihood is high and do not require complex user interactions.
Vulnerabilities that require users to visit certain URLs or install certain applications will not have severity higher than Medium (P3).
Please note that users can book a product on Traveloka without registration and can attach/send the booking to a registered account by using the email address or phone number as contact. We also allow users to view / process other users' bookings if they have the correct auth code. The flexibility offered by Traveloka might not be the best ideal for some cases but we are aware of the potential abuse from those features and we compensate them with strict monitoring.
Reward amounts may vary depending upon the severity of the vulnerability and its impact on Traveloka, the quality of the report, and the type of affected system. Traveloka uses the international standard for risk calculations that is OWASP Risk Rating Methodology.
We are sorry that vulnerabilities scored < 3 (Info to Low) are not eligible for bounty. While vulnerabilities scored >= 3 (Medium to Critical) are eligible for monetary reward, we will proceed to reward as soon as possible after complete verification. Keep in mind that it can take up to 90 days for security researchers to receive the reward.
Traveloka Bug Bounty program appreciates security researchers who help us make our products and services safer. We are happy to present the list of researchers who have participated in this program: