Travefy currently supports a bounty program for discovering vulnerabilities.
How to Submit
You can submit a vulnerability using the below form.
Please note Travefy will only review submissions made via the above form.
All submissions must include:
Area | Submission Information |
About YOU |
|
About YOUR SUBMISSION |
|
REWARD INFORMATION |
|
If you have any issues, please email vbprogram@travefy.com.
You can expect to hear from the Travefy team within Please expect to hear from the Travefy team within 30 business days.
Program Rules
Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
Do not attempt to view, modify, or damage data belonging to others.
Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
Do not attempt to gain access to another user’s account or data.
Do not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
The following test methods are not authorized:
Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
Exclusions
The following vulnerabilities are not eligible for bounty.
The following vulnerabilities are not eligible for bounty.
Network level Denial of Service attacks
Application Denial of Service by locking user accounts
Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
Disclosure of known public files or directories, (e.g. robots.txt)
Outdated software / library versions
OPTIONS / TRACE HTTP method enabled
Cookies that lack HTTP Only or Secure settings for non-sensitive data
Self-XSS and issues exploitable only through Self-XSS
Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
Attacks requiring physical access to a user's device
Attacks dependent upon social engineering of Travefy employees or vendors.
SSL/TLS best practices.
SSL attacks such as BEAST, BREACH, Renegotiation attack.
Rewards
You may be eligible to receive a monetary reward if:
You are the first person to submit a site or product vulnerability
That vulnerability is determined to be a valid security issue by Travefy's security team
You have complied with all Program Rules
All rewards are paid via Paypal and you will be required to complete a signed W9 form for accounting and tax purposes or a W-8BEN if you are a foreign individual. You can find links to these forms here.
Vulnerability Type | Definition |
Minor Vulnerability | This is for a minor vulnerability with a practical exploit or a serious vulnerability without a practically demonstrated exploit. |
Serious Vulnerability | This is a serious vulnerability with a practically demonstrated exploit and mitigation steps. A serious vulnerability is defined as something that results in exposing customer data or loss of customer data. |
All bounty amounts will be determined at the discretion of the Travefy Inc. Bug Bounty team who will evaluate each report for severity, impact, and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk such that we do not make changes.
The minimum bounty amount for a validated bug submission is $25 USD
and the maximum bounty for a validated bug submission is $500 USD
. Travefy's Bug Bounty team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the Travefy Bug Bounty team are final.
Travefy does not reward for minor vulnerabilities that have no practical exploit.
Terms & Conditions
The parties to this agreement are you and "Travefy Inc."
You must abide by the law.
"Travefy Inc." employees, contractors, and their families are not eligible for rewards.
By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than "Travefy Inc." via the our Bug Bounty Process.
Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive appropriate recognition at the discretion of Travefy Inc.
By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting Travefy Inc. a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities. Only the first report of a given issue that Travefy had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Travefy.
You are responsible for notifying Travefy Inc of any changes to your contact information, including but not limited to your email address. Failure to do so may lead to the forfeiture of Bounty Awards.
Travefy Inc. reserves the right to discontinue the Program at any time without notice.
You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
Your testing activities must not negatively impact Travefy or Travefy's online environment availability or performance.
Other legal points
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.
You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
Your testing must not violate any law, or disrupt or compromise any data that is not your own.
Confidentiality
Any information you receive or collect about Travefy through the Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Travefy sites, without Travefy's prior written consent.