Hyatt's Bug Bounty Program Update: Q&A with Senior Analyst Robert Lowery

Q: Tell us who you are.

I'm Robert Lowery, Senior Analyst at Hyatt. I'm part of the Vulnerability Management team, which oversees the bug bounty program, AppSec, penetration testing, and vulnerability remediations. We also assist with regulatory requirements to ensure we remain compliant. A fascinating part of my job is performing penetration tests at hotels. Our team visits properties to perform physical and network-based penetration tests. It's an amazing opportunity to see Hyatt's properties, identify ways to improve our security, and share those findings with colleagues.

Q: Tell us about your bug bounty program's evolution from 2018 to today.

At Hyatt, our bug bounty program enables us to deliver on our purpose to care for people so they can be their best. Protecting colleague and guest information is a top priority, and we identified bug bounty as another way to enhance our cybersecurity efforts. It's been very rewarding to witness the evolution of our bug bounty program. The program started privately with seven researchers in September 2018. Within three months, we saw the program‘s benefits and swiftly expanded to a full-blown worldwide public bug bounty program in January 2019.

The transition to a public program was very exciting. The reports from researchers demonstrated creative and strategic thinking, powered by a highly specialized skill set, and it was thrilling to see their work. Thanks to HackerOne's fantastic triage team and the dedication from our team members' remediations, the program grew to an exciting level.

Since the public launch, we have steadily expanded the program scope and increased bounty payments. The scope not only grew from guest-facing assets to external business assets, but we also added more types of vulnerabilities eligible for bounty payments. Privacy and fraud categories are now eligible for bounty payments, and, importantly, our bounty payments for privacy and fraud findings grew from $2,000 to $10,000! We take pride in rewarding our researchers as they provide an incredible service that only they can produce. 

Q: As of today, you've paid $500,000 in bounties! That's a lot of money. What's the ROI?

The $500k in bounties covers a variety of reports. To date, we’ve resolved more than 400 reports and currently have 23 assets in scope. We have seen a reduction in specific vulnerabilities like path traversal and business logic errors since the inception of the bug bounty program. Teams and leadership continuously gain new insights from bug bounty reports, and the learnings have been considered and applied during many development processes. As an example, when new architecture is proposed, teams will discuss relatable bug bounty reports to ensure that previous issues are not present in future releases.

Q: How have hackers helped you reduce risk?

Security researchers help us reduce risk by constantly testing our production environments. We have a fantastic community of security researchers providing feedback and perspectives that we value greatly. It is difficult to quantify a potential attack, but we are certain the remediations made from security researchers' reports have improved our security posture.

Q: How do you quantify working with hackers?

Each report tells a story. These stories tell worst-case scenarios that we avoided because a security researcher provided a report. Telling these stories to leadership is an excellent opportunity to demonstrate the value of the bug bounty program and security researchers, which enables us to continue expanding our program.

Q: Tell us about some of the assets in your scope and the importance of securing those assets.

Our scope started with guest-facing assets like hyatt.com. It is essential to secure hyatt.com because that's the source of most of our bookings come. The bug bounty program helps identify security issues that automated tools are unable to detect. Tools will not go through your entire booking process and evaluate business logic vulnerabilities like security researchers can.

Q: What's the biggest lesson you've learned?

There are so many lessons learned from our bug bounty program, and one of the most important lessons is that automated scanning cannot detect all existing vulnerabilities. A scanner may detect vulnerable software versions and some misconfigurations, but a security researcher will examine targets holistically and understand how all of the different pieces of technology interact together. A scanner will most likely not detect Server-Side Request Forgery vulnerabilities, but security researchers will find them and provide fascinating reports demonstrating high impacts.

Q: What does success look like in the future for Hyatt's program?

Success for Hyatt is the expansion and growth of the program. Soon, our program will incorporate dynamic bounties, which gradually raise payments over time for specific report severities. For example, the critical bounty payment will rise until a particular time is reached or a triaged critical report is submitted. Another priority for the program is the creation of a 'Super Critical' category, which will contain a very high bounty payment and precise requirements.

Q: As you pass the $500,000 bounties paid milestone, what would you like to say to the hacker community?

Thank you, security researchers! We appreciate all the hard work and time spent participating in our program. The partnership with the security research community has been enriching, and we are so grateful for their work, which helps us best protect our guests' and colleagues' information. We love to read and learn from the reports that security researchers provide.

We look forward to deepening our relationship with the security research community as we continue to expand our program.

--

To learn more about the benefits of a bug bounty program, check out HackerOne Bounty