Bug bounty
Triaged by HackenProof

Tickets Travel Network / Updated UI : Program info

Tickets Travel Network / Updated UI

Company: Tickets Travel Network
This program is active now
Program infoHackers (88)

Tickets Travel Network is one of the most distinctive and expansive travel distribution companies in the EMEA region. As a smart travel provider, we offer our customers wide range of products: flights, train and bus journeys.

In scope
TargetTypeSeverityReward
https://tickets.kz/
Web
Critical
Bounty
tickets.kz/my
Web
Critical
Bounty
*.tickets.ua
Web
None
Bounty
kissandfly.com
Web
None
Bounty
travelfrom.fr
Web
None
Bounty
Target
https://tickets.kz/
TypeWeb
Severity
Critical
RewardBounty
Target
tickets.kz/my
TypeWeb
Severity
Critical
RewardBounty
Target
*.tickets.ua
TypeWeb
Severity
None
RewardBounty
Target
kissandfly.com
TypeWeb
Severity
None
RewardBounty
Target
travelfrom.fr
TypeWeb
Severity
None
RewardBounty
Out of scope
TargetTypeSeverityReward
https://tickets.ua/media/
Web
None
Bounty
https://wiki.v2.api.tickets.ua/
Web
None
Bounty
Target
https://tickets.ua/media/
TypeWeb
Severity
None
RewardBounty
Target
https://wiki.v2.api.tickets.ua/
TypeWeb
Severity
None
RewardBounty

Focus Area

TESTING DETAILS

  • Authenticated testing is limited to the credentials you can self-provision or utilize any existing accounts you own - no supplemental credentials or access will be provided for testing.
  • Please use ?refid=123456 during the testing
  • For any booking select a date approximately 6 months in advance.
  • Be sure to use valid data and email addresses, excluding emails that contain “test” anywhere. it can be resulting in the account block
  • Be sure to cancel the booking immediately
  • For payments, you can use any valid credit card
  • Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion)
  • Please include remediation advice where possible

IN SCOPE

  • Issues that result in a full compromise of a system
  • Business logic issues connected with booking flow resulting in a significant impact
  • Privilege escalation issues
  • Authentication bypass
  • Sensitive data exposure

OUT OF SCOPE

  • Vulnerabilities in third-party applications
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Vulnerabilities involving active content such as web browser add-ons
  • Most brute-forcing issues
  • Denial of service
  • Theoretical issues
  • Spam
  • Infrastructure vulnerabilities, including:
  • Open redirects
  • Session fixation
  • User account enumeration
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Self-XSS that cannot be used to exploit other users
  • Login & Logout CSRF
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)
  • Infrastructure vulnerabilities, including:
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • Missing HTTP security headers
  • Pre-Account takeover issues

Program Rules

  • ! Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services or infrastructure
  • Avoid compromising any personal data, interruption or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Vulnerabilities found in any other regional domain with the same codebase will be considered the same vulnerability
  • Only the first valid bug is eligible for the reward
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
Rewards
Range of bounty$50 - $2,000
Severity
Critical
$1,500 - $2,000
High
$900 - $1,500
Medium
$300 - $700
Low
$50 - $100
Stats
Total rewards$15,100
Submissions187
Types
Web
Project types
Other
Hackers (88) View all
0xj3st3r
1
YAUHENI SAVUSHKIN
2
Chouat Abderrahmane
3
4
zerokeeper
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response7d
Triage Time10d
Reward Time1d
Resolution Time15d