Travefy currently supports a bounty program for discovering vulnerabilities. 


  • Minor Vulnerability: USD $10 Reward. This is for a minor vulnerability with a practical exploit or a serious vulnerability without a practically demonstrated exploit.

  • Serious Vulnerability: USD $50 Reward. This is a serious vulnerability with a practically demonstrated exploit and mitigation steps. A serious vulnerability is defined as something that results in exposing customer data or loss of customer data.

Please note, Travefy does not reward for minor vulnerabilities that have no practical exploit. Additionally you can further explore how we define a practical exploit here.

Eligibility & Payment Requirements

  • If you are scanning systems or performing any test with potential performance implications to our systems, you must notify Travefy in advance of any testing and must include potential performance implications for our explicit approval. Notifications should be sent to If you do not contact Travefy in advance you will not be eligible for a bounty.

  • Following any testing, please send your findings to for discussion.

  • Rewards can only be paid via PayPal or Amazon Gift Card and you will be required to fill out a W9 form for accounting and tax purposes (or a W-8BEN if you are a foreign individual). You can access a W9 form here. or a W-8BEN here.

  • No individual is eligible for or may earn more that $599 in rewards in a given calendar year.

  • If you repeatedly submit the same vulnerability you will lose eligibility to participate in Travefy's Vulnerability Bounty Program.

  • We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.

  • You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

  • Your testing must not violate any law, or disrupt or compromise any data that is not your own.

Did this answer your question?