Booking.com HackerOne
Target Policy
https://hackerone.com/bookingcom?type=teamStructured Scope
-
Asset Identifier
Asset Type
Max Severity
-
compass.fareharbor.comURLcritical
-
https://play.google.com/store/apps/details?id=com.booking.hotelmanager&hl=enGOOGLE_PLAY_APP_IDcritical
-
secure.booking.comURLcritical
-
widget.rentalcars.comURLcritical
-
www.fareharbor.comURLcritical
-
https://apps.apple.com/us/app/pulse-for-booking-com-partners/id992795726APPLE_STORE_APP_IDcritical
-
www.sustainability.booking.comURLcritical
-
cruises.booking.comURLcritical
-
marketing.fareharbor.comURLcritical
-
*.fareharbor.comWILDCARDcritical
-
sites.fareharbor.comURLcritical
-
demo.fareharbor.comURLcritical
-
readonly.fareharbor.comURLcritical
-
taxi.booking.comURLcritical
-
autocomplete.booking.comURLcritical
-
spark.fareharbor.comURLcritical
-
https://apps.apple.com/us/app/booking-com-hotels-travel/id367003839APPLE_STORE_APP_IDcritical
-
tableau.fareharbor.engineeringURLcritical
-
taxis.booking.comURLcritical
-
paymentcomponent.booking.comURLcritical
-
admin.booking.com
Incorrect permission check for different roles is out of scope.
URLcritical -
chat.booking.comURLcritical
-
https://iphone-xml.booking.com/json/URLcritical
-
https://secure-iphone-xml.booking.com/json/URLcritical
-
kyc-onboarding.booking.comURLcritical
-
http://secure-iphone-xml.booking.com/json/URLcritical
-
supplier.auth.toag.booking.comURLcritical
-
metasearch-api.booking.comURLcritical
-
experiences.booking.comURLcritical
-
webhooks.booking.comURLcritical
-
paybridge.booking.comURLcritical
-
phone-validation.taxi.booking.comURLcritical
-
indicative-pricing.taxi.booking.comURLcritical
-
distribution-xml.booking.comURLcritical
-
paynotifications.booking.comURLcritical
-
supply-xml.booking.comURLcritical
-
accommodations.booking.comURLcritical
-
secure-supply-xml.booking.comURLcritical
-
cars.booking.comURLcritical
-
teleport.fareharbor.engineeringURLcritical
-
careers.booking.comURLcritical
-
https://play.google.com/store/apps/details?id=com.booking&hl=enGOOGLE_PLAY_APP_IDcritical
-
flights.booking.comURLcritical
-
account.booking.comURLcritical
-
portal.taxi.booking.comURLcritical
-
*.fareharbor.engineeringWILDCARDcritical
-
fareharborsites.comURLcritical
-
booking.comURLcritical
-
*.rentalcars.com
if there's any vulnerabilities raised on this asset that are owned by a third party we will not be accepting those reports
WILDCARDcritical -
business.booking.com/
*.business.booking.com is out of scope until further notice.
reports submitted prior to 06/11/2024 will still be acceptedURLnone -
*.booking.com
if there's any vulnerabilities raised on this asset that are owned by a third party we will not be accepting those reports
WILDCARDcritical -
fhdn.fareharbor.comURLcritical
Target Scope Domains
- accommodations.booking.com
- account.booking.com
- admin.booking.com
- autocomplete.booking.com
- booking.com
- careers.booking.com
- cars.booking.com
- chat.booking.com
- compass.fareharbor.com
- cruises.booking.com
- demo.fareharbor.com
- distribution-xml.booking.com
- experiences.booking.com
- fareharbor.com
- fareharbor.engineering
- fareharborsites.com
- fhdn.fareharbor.com
- flights.booking.com
- indicative-pricing.taxi.booking.com
- iphone-xml.booking.com
- kyc-onboarding.booking.com
- marketing.fareharbor.com
- metasearch-api.booking.com
- paybridge.booking.com
- paymentcomponent.booking.com
- paynotifications.booking.com
- phone-validation.taxi.booking.com
- portal.taxi.booking.com
- readonly.fareharbor.com
- rentalcars.com
- secure-iphone-xml.booking.com
- secure-supply-xml.booking.com
- secure.booking.com
- sites.fareharbor.com
- spark.fareharbor.com
- supplier.auth.toag.booking.com
- supply-xml.booking.com
- tableau.fareharbor.engineering
- taxi.booking.com
- taxis.booking.com
- teleport.fareharbor.engineering
- webhooks.booking.com
- widget.rentalcars.com
- www.fareharbor.com
- www.sustainability.booking.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
- Fleet: allkxss
- Duration: 27 Seconds
- Finished: 1 week, 5 days ago