Bug bounty
Triaged by HackenProof

Tickets Travel Network / Updated UI : Program info

Tickets Travel Network / Updated UI

Company: Tickets Travel Network
This program is active now
Program info

Tickets Travel Network is one of the most distinctive and expansive travel distribution companies in the EMEA region. As a smart travel provider, we offer our customers wide range of products: flights, train and bus journeys.

In scope
TargetTypeSeverityReward
https://tickets.kz/
Web
Critical
Bounty
tickets.kz/my
Web
Critical
Bounty
*.tickets.ua
Web
None
Bounty
kissandfly.com
Web
None
Bounty
travelfrom.fr
Web
None
Bounty
Target
https://tickets.kz/
TypeWeb
Severity
Critical
RewardBounty
Target
tickets.kz/my
TypeWeb
Severity
Critical
RewardBounty
Target
*.tickets.ua
TypeWeb
Severity
None
RewardBounty
Target
kissandfly.com
TypeWeb
Severity
None
RewardBounty
Target
travelfrom.fr
TypeWeb
Severity
None
RewardBounty
Out of scope
TargetTypeSeverityReward
https://tickets.ua/media/
Web
None
Bounty
https://wiki.v2.api.tickets.ua/
Web
None
Bounty
Target
https://tickets.ua/media/
TypeWeb
Severity
None
RewardBounty
Target
https://wiki.v2.api.tickets.ua/
TypeWeb
Severity
None
RewardBounty

Focus Area

TESTING DETAILS

  • Authenticated testing is limited to the credentials you can self-provision or utilize any existing accounts you own - no supplemental credentials or access will be provided for testing.
  • Please use ?refid=123456 during the testing
  • For any booking select a date approximately 6 months in advance.
  • Be sure to use valid data and email addresses, excluding emails that contain “test” anywhere. it can be resulting in the account block
  • Be sure to cancel the booking immediately
  • For payments, you can use any valid credit card
  • Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion)
  • Please include remediation advice where possible

IN SCOPE

  • Issues that result in a full compromise of a system
  • Business logic issues connected with booking flow resulting in a significant impact
  • Privilege escalation issues
  • Authentication bypass
  • Sensitive data exposure

OUT OF SCOPE

  • Vulnerabilities in third-party applications
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Vulnerabilities involving active content such as web browser add-ons
  • Most brute-forcing issues
  • Denial of service
  • Theoretical issues
  • Spam
  • Infrastructure vulnerabilities, including:
  • Open redirects
  • Session fixation
  • User account enumeration
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Self-XSS that cannot be used to exploit other users
  • Login & Logout CSRF
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)
  • Infrastructure vulnerabilities, including:
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • Missing HTTP security headers
  • Pre-Account takeover issues

Program Rules

  • ! Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services or infrastructure
  • Avoid compromising any personal data, interruption or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Vulnerabilities found in any other regional domain with the same codebase will be considered the same vulnerability
  • Only the first valid bug is eligible for the reward
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
Rewards
Range of bounty$50 - $2,000
Severity
Critical
$1,500 - $2,000
High
$900 - $1,500
Medium
$300 - $700
Low
$50 - $100
Stats
Total rewards$13,600
Bugs found182
Categories
NetworkPlatform
Types
webmobiledesktop
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response7d
Triage Time10d
Reward Time1d
Resolution Time15d