All Collections
Promotions & Partner Specific Terms
Travefy Vulnerability Bounty Program
Travefy Vulnerability Bounty Program

Learn more about Travefy's Vulnerability Bounty Program, also known as a Bug Bounty Program

David Chait avatar
Written by David Chait
Updated over a week ago

Travefy currently supports a bounty program for discovering vulnerabilities. 

How to Submit

You can submit a vulnerability using the below form.

Travefy Vulnerability Bounty Program Submission

Please note Travefy will only review submissions made via the above form.

All submissions must include:

Area

Submission Information

About YOU

  • Name

  • Email Address

About YOUR SUBMISSION

  • Name of Potential Vulnerability

  • Description of potential vulnerability. Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)

  • Supporting technical details: Such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue

  • Recommendations to resolve the issue

  • Supporting Files / Documents

REWARD INFORMATION

  • Paypal Email Address

  • W9 or W8-BEN for tax purposes

If you have any issues, please email vbprogram@travefy.com.

You can expect to hear from the Travefy team within Please expect to hear from the Travefy team within 30 business days.

Program Rules

  • Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.

  • Do not attempt to view, modify, or damage data belonging to others.

  • Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.

  • Do not attempt to gain access to another user’s account or data.

  • Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.

  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

The following test methods are not authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data

  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing

Exclusions

The following vulnerabilities are not eligible for bounty.

  • Network level Denial of Service attacks

  • Application Denial of Service by locking user accounts

  • Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)

  • Disclosure of known public files or directories, (e.g. robots.txt)

  • Outdated software / library versions

  • OPTIONS / TRACE HTTP method enabled

  • Cookies that lack HTTP Only or Secure settings for non-sensitive data

  • Self-XSS and issues exploitable only through Self-XSS

  • Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit

  • Attacks requiring physical access to a user's device

  • Attacks dependent upon social engineering of Travefy employees or vendors.

  • SSL/TLS best practices.

  • SSL attacks such as BEAST, BREACH, Renegotiation attack.

Rewards

You may be eligible to receive a monetary reward if:

  • You are the first person to submit a site or product vulnerability

  • That vulnerability is determined to be a valid security issue by Travefy's security team

  • You have complied with all Program Rules

All rewards are paid via Paypal and you will be required to complete a signed W9 form for accounting and tax purposes or a W-8BEN if you are a foreign individual. You can find links to these forms here.

Vulnerability Type

Definition

Minor Vulnerability

This is for a minor vulnerability with a practical exploit or a serious vulnerability without a practically demonstrated exploit.

Serious Vulnerability

This is a serious vulnerability with a practically demonstrated exploit and mitigation steps. A serious vulnerability is defined as something that results in exposing customer data or loss of customer data.

All bounty amounts will be determined at the discretion of the Travefy Inc. Bug Bounty team who will evaluate each report for severity, impact, and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk such that we do not make changes.

The minimum bounty amount for a validated bug submission is $25 USD and the maximum bounty for a validated bug submission is $500 USD. Travefy's Bug Bounty team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the Travefy Bug Bounty team are final.

Travefy does not reward for minor vulnerabilities that have no practical exploit.

Terms & Conditions

  • The parties to this agreement are you and "Travefy Inc."

  • You must abide by the law.

  • "Travefy Inc." employees, contractors, and their families are not eligible for rewards.

  • By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than "Travefy Inc." via the our Bug Bounty Process.

  • Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive appropriate recognition at the discretion of Travefy Inc.

  • By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting Travefy Inc. a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities. Only the first report of a given issue that Travefy had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.

  • Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Travefy.

  • You are responsible for notifying Travefy Inc of any changes to your contact information, including but not limited to your email address. Failure to do so may lead to the forfeiture of Bounty Awards.

  • Travefy Inc. reserves the right to discontinue the Program at any time without notice.

  • You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.

  • If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.

  • Your testing activities must not negatively impact Travefy or Travefy's online environment availability or performance.

Other legal points

  • We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.

  • You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

  • Your testing must not violate any law, or disrupt or compromise any data that is not your own.

Confidentiality

Any information you receive or collect about Travefy through the Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Travefy sites, without Travefy's prior written consent.

Relevant Links

Did this answer your question?