Tickets Travel Network is one of the most distinctive and expansive travel distribution companies in the EMEA region. As a smart travel provider, we offer our customers wide range of products: flights, train and bus journeys.
In Scope
| Target | Type | Reward |
|---|---|---|
https://tickets.kz/ |
Web | Bounty |
tickets.kz/my |
Web | Bounty |
*.tickets.ua |
Web | Bounty |
kissandfly.com |
Web | Bounty |
travelfrom.fr |
Web | Bounty |
Out of scope
| Target | Type | Severity |
|---|---|---|
https://tickets.ua/media/ |
Web | None |
https://wiki.v2.api.tickets.ua/ |
Web | None |
TESTING DETAILS
- Authenticated testing is limited to the credentials you can self-provision or utilize any existing accounts you own - no supplemental credentials or access will be provided for testing.
- Please use ?refid=123456 during the testing
- For any booking select a date approximately 6 months in advance.
- Be sure to use valid data and email addresses, excluding emails that contain “test” anywhere. it can be resulting in the account block
- Be sure to cancel the booking immediately
- For payments, you can use any valid credit card
- Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion)
- Please include remediation advice where possible
IN SCOPE
- Issues that result in a full compromise of a system
- Business logic issues connected with booking flow resulting in a significant impact
- Privilege escalation issues
- Authentication bypass
- Sensitive data exposure
OUT OF SCOPE
- Vulnerabilities in third-party applications
- Best practices concerns
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, phishing, physical, or other fraud activities
- Publicly accessible login panels without proof of exploitation
- Reports that state that software is out of date/vulnerable without a proof of concept
- Vulnerabilities involving active content such as web browser add-ons
- Most brute-forcing issues
- Denial of service
- Theoretical issues
- Spam
- Infrastructure vulnerabilities, including:
- Open redirects
- Session fixation
- User account enumeration
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Self-XSS that cannot be used to exploit other users
- Login & Logout CSRF
- CSRF in forms that are available to anonymous users (e.g. the contact form)
- OPTIONS/TRACE HTTP method enabled
- Host header issues without proof-of-concept demonstrating the vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Content Spoofing without embedded links/HTML
- Reflected File Download (RFD)
- Infrastructure vulnerabilities, including:
- Server configuration issues (i.e., open ports, TLS, etc.)
- Missing HTTP security headers
- Pre-Account takeover issues
- ! Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services or infrastructure
- Avoid compromising any personal data, interruption or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Vulnerabilities found in any other regional domain with the same codebase will be considered the same vulnerability
- Only the first valid bug is eligible for the reward
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission