After becoming the first hospitality brand to launch a public bug bounty program, Hyatt recently celebrated its first anniversary of the collaboration with HackerOne! Hyatt’s purpose — to care for people so they can be their best — extends beyond guests staying in its hotels; it covers colleagues, customers and hotel owners who utilize Hyatt’s web and mobile applications. As a purpose-driven hospitality brand with 875+ properties in more than 60 countries, its more than 120,000 colleagues engage with tens of thousands of guests around the globe every day.
As you can probably imagine, not an easy feat for any security team to protect and defend on a daily basis! Hyatt began its hacker-powered security journey with HackerOne in 2018 with a private program, inviting a handful of hackers to discover and disclose vulnerabilities for a monetary award or bounty. Before launching the public program, Hyatt had already paid out over $5,000 in bounties to 14 hackers. To further deliver on its purpose of care, Hyatt became the first hospitality brand to start a public bug bounty program in January 2019
HIGHLIGHTS FROM YEAR ONE
In the first year of the public program, 619 hackers from across the globe—including India, United States, Egypt, Russia, Turkey, Pakistan, France, Canada, and China—participated in Hyatt’s bug bounty program and helped the security team discover and resolve bugs that may not have been uncovered by other security testing methods. Through the public bug bounty program, hackers have been awarded more than $175,000 for disclosing valid vulnerabilities on Hyatt.com, world.hyatt.com, and the iOS and Android Hyatt mobile apps that were safely resolved by Hyatt’s digital and technology teams. The top bounty awarded during this period was $6,000 for a critical vulnerability, while the average bounty amount was $881.
“Hyatt’s purpose of care informs all business decisions, and developing a best-in-class cyber security program in order to protect guest, colleague and customer information is one way we are delivering on our purpose,” said Hyatt Chief Information Security Officer Benjamin Vaughn. “We believe there is immense value in having a bug bounty program as part of our cyber security strategy, and we encourage all companies, not just those in the hospitality industry, to take a similar approach and consider bug bounty as a proactive security initiative.”
A SUCCESSFUL COLLABORATION WITH HACKERS
Hyatt’s dedication to security is validated by its agile response and resolution times for reported bugs. On average, Hyatt’s digital and technology teams take less than 20 days to properly triage and resolve valid bug reports from hackers, well ahead of industry standards. Hyatt’s listening-based approach to business also extends into the hacker community, with the team continually asking for hacker feedback through surveys and promotions to engage the community.
“The collaboration with HackerOne has bolstered our cyber security posture and has become an integral part of our strategy,” said Hyatt’s Robert Lowery, vulnerability management analyst and bug bounty program manager. “HackerOne’s process enables us to efficiently address vulnerability reports as they come in and HackerOne's Hacker-Powered Retesting allows us to work more closely with the community so that remediation can be validated faster and more accurately."
A LOOK TO THE FUTURE
As the public bug bounty program moves into year two, Hyatt has widened the scope of its bug bounty program as well as increased the bounty payments. This month, Hyatt expanded the program to include all internet-facing assets in its data centers and announced an increase in bounty payments, with critical severity bugs increasing by 33 percent and high severity bugs increasing by 50 percent.
If you’re interested in learning more about Hyatt’s bug bounty program or want to submit a vulnerability report, visit https://hackerone.com/hyatt.