Scope and Policy

About  

Travala.com is the world’s leading blockchain-based travel booking platform trusted by thousands of customers  

worldwide as their preferred online travel agency.  

 

At Travala.com, we believe that working with skilled security researchers across the globe is crucial in identifying  

weaknesses in any technology. If you believe you've found a security issue, we encourage you to notify us in accordance  

with this Bug Bounty Program. We welcome working with you to resolve the issue promptly.  

 

Multiple domains  

If you find a vulnerability that affects multiple *.travala.com domains, please keep it as a single report.  

 

Terms and Conditions  

While researching, we'd like to ask you to refrain from:  

• Denial of service attacks;  

• Spamming; and  

• Violating any law, or disrupting or compromising any data that is not your own.  

• Breaching any terms found in our website terms and conditions and privacy policy.  

We reserve the right to amend this Bug Bounty Program and scope at any time without prior notice to you.  

 

BountyTable

Critical        -  The score range is 9-11, the security coin is 720~960, and the additional monetary reward is $2000 - $4000 (or 2300-4600 in travel credit)

High            -  The score range is 6-8, the security coin is 360~480, and the additional monetary reward is $1000 - $2000 (or 1150-2300 in travel credit)

Medium      -  The Score range is 3-5, Security coin 45~75

Low             -  The score range is 1-2, and the security coin is 9~18

 

 

Notwithstanding anything to the contrary, we at all times retain the right to decide on the severity of the reported vulnerability.  

 

Payout

Valid reports will be paid to researchers via stablecoin (USDT). Note that you must provide your crypto wallet address to receive the rewards.

Your payout would be increased by 15% if you choose the option to receive it via Travel Credit

 

Scope

Web & Infrastructure  

• *.travala.com  

Mobile Apps

• Travala Android

• Travala iOS

 

Out of scope  

Software published by third-party entities that are not managed by Travala.com (e.g: travala.zendesk.com)  

 

Exclusions / Ineligible issues  

The following reports are likely to be considered low priority and may be dismissed as out of scope, and therefore not  

eligible to receive a bounty:  

• Account/email enumeration  

• Any rate limits for authentication or non-sensitive action attempts  

• Clickjacking/UI redressing  

• DNS misconfigurations/email spoofing  

• Descriptive/verbose/unique error pages (without proof of exploitability)  

• Information disclosure with minimal security impact (e.g. stack traces, path disclosure, directory listings, logs)  

• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)  

• Lack of security flags in cookies  

• Links to invalid/expired pages (only valid if you can demonstrate an actual takeover of an official social media  

account linked to on every page, not just specific past announcements/blog posts)  

• Login/logout/unauthenticated/low-impact CSRF  

• Missing cookie flags  

• Missing security-related HTTP headers which do not lead directly to a vulnerability  

• Mixed content warnings  

• Reports from automated tools or scans  

• SSL/TLS best practices  

• Self-exploitation (i.e. password reset links, self-XSS, cookie reuse)  

• Session Fixation using reset password feature  

• Session management issues/Forgot password vulnerabilities/Session hijacking/Session Fixation  

• Software version disclosure  

• Tab-nabbing  

• Use of a known-vulnerable library without proof of exploitability  

• Use of known vulnerable libraries without actual proof of concept  

• Vulnerabilities affecting users of outdated browsers or platforms  

• Vulnerabilities reported in staging environments or SaaS setups  

 

Thank you for helping keep Travala.com and our users safe!