Booking.com icon Booking.com HackerOne

Target Policy
https://hackerone.com/bookingcom?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • admin.booking.com

    Incorrect permission check for different roles is out of scope.

    We have recently run an internal pen-test on this asset, and we are working through the vulnerabilities found. There may be duplicates reported to us, so please be aware of this when submitting your report.

    URL
    critical
  • widget.rentalcars.com
    URL
    critical
  • paymentcomponent.booking.com
    URL
    critical
  • marketing.fareharbor.com
    URL
    critical
  • autocomplete.booking.com
    URL
    critical
  • cruises.booking.com
    URL
    critical
  • demo.fareharbor.com
    URL
    critical
  • sites.fareharbor.com
    URL
    critical
  • compass.fareharbor.com
    URL
    critical
  • www.sustainability.booking.com
    URL
    critical
  • www.fareharbor.com
    URL
    critical
  • readonly.fareharbor.com
    URL
    critical
  • tableau.fareharbor.engineering
    URL
    critical
  • *.fareharbor.com
    WILDCARD
    critical
  • https://apps.apple.com/us/app/booking-com-hotels-travel/id367003839
    APPLE_STORE_APP_ID
    critical
  • secure.booking.com
    URL
    critical
  • taxis.booking.com
    URL
    critical
  • https://apps.apple.com/us/app/pulse-for-booking-com-partners/id992795726
    APPLE_STORE_APP_ID
    critical
  • spark.fareharbor.com
    URL
    critical
  • https://play.google.com/store/apps/details?id=com.booking.hotelmanager&hl=en
    GOOGLE_PLAY_APP_ID
    critical
  • taxi.booking.com
    URL
    critical
  • chat.booking.com
    URL
    critical
  • https://iphone-xml.booking.com/json/
    URL
    critical
  • https://secure-iphone-xml.booking.com/json/
    URL
    critical
  • kyc-onboarding.booking.com
    URL
    critical
  • http://secure-iphone-xml.booking.com/json/
    URL
    critical
  • supplier.auth.toag.booking.com
    URL
    critical
  • metasearch-api.booking.com
    URL
    critical
  • experiences.booking.com
    URL
    critical
  • webhooks.booking.com
    URL
    critical
  • paybridge.booking.com
    URL
    critical
  • phone-validation.taxi.booking.com
    URL
    critical
  • indicative-pricing.taxi.booking.com
    URL
    critical
  • distribution-xml.booking.com
    URL
    critical
  • paynotifications.booking.com
    URL
    critical
  • supply-xml.booking.com
    URL
    critical
  • accommodations.booking.com
    URL
    critical
  • secure-supply-xml.booking.com
    URL
    critical
  • cars.booking.com
    URL
    critical
  • teleport.fareharbor.engineering
    URL
    critical
  • careers.booking.com
    URL
    critical
  • https://play.google.com/store/apps/details?id=com.booking&hl=en
    GOOGLE_PLAY_APP_ID
    critical
  • flights.booking.com
    URL
    critical
  • account.booking.com
    URL
    critical
  • portal.taxi.booking.com
    URL
    critical
  • *.fareharbor.engineering
    WILDCARD
    critical
  • fareharborsites.com
    URL
    critical
  • booking.com
    URL
    critical
  • *.rentalcars.com

    if there's any vulnerabilities raised on this asset that are owned by a third party we will not be accepting those reports

    WILDCARD
    critical
  • business.booking.com/

    *.business.booking.com is out of scope until further notice.
    reports submitted prior to 06/11/2024 will still be accepted

    URL
    none
  • *.booking.com

    if there's any vulnerabilities raised on this asset that are owned by a third party we will not be accepting those reports

    WILDCARD
    critical
  • fhdn.fareharbor.com
    URL
    critical
Target Scope Domains
  • accommodations.booking.com
  • account.booking.com
  • admin.booking.com
  • autocomplete.booking.com
  • booking.com
  • careers.booking.com
  • cars.booking.com
  • chat.booking.com
  • compass.fareharbor.com
  • cruises.booking.com
  • demo.fareharbor.com
  • distribution-xml.booking.com
  • experiences.booking.com
  • fareharbor.com
  • fareharbor.engineering
  • fareharborsites.com
  • fhdn.fareharbor.com
  • flights.booking.com
  • indicative-pricing.taxi.booking.com
  • iphone-xml.booking.com
  • kyc-onboarding.booking.com
  • marketing.fareharbor.com
  • metasearch-api.booking.com
  • paybridge.booking.com
  • paymentcomponent.booking.com
  • paynotifications.booking.com
  • phone-validation.taxi.booking.com
  • portal.taxi.booking.com
  • readonly.fareharbor.com
  • rentalcars.com
  • secure-iphone-xml.booking.com
  • secure-supply-xml.booking.com
  • secure.booking.com
  • sites.fareharbor.com
  • spark.fareharbor.com
  • supplier.auth.toag.booking.com
  • supply-xml.booking.com
  • tableau.fareharbor.engineering
  • taxi.booking.com
  • taxis.booking.com
  • teleport.fareharbor.engineering
  • webhooks.booking.com
  • widget.rentalcars.com
  • www.fareharbor.com
  • www.sustainability.booking.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kxss
allkxss
1 month, 2 weeks ago
Finished
auto-gausubs-2-kxss
  • Fleet: allkxss
  • Duration: 24 Seconds
  • Finished: 1 month, 2 weeks ago