HuntDash - expediagroup

Target Policy

https://hackerone.com/expediagroup_bbp?type=team

Structured Scope

Asset Identifier

Asset Type

Max Severity
*.expediapartnercentral.com

Some subdomains are owned by third parties and are therefore out of scope and ineligible for a bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

**Out of scope subdomains:**
discoveryhub.expediapartnersolutions.com
gco-get.expediapartnersolutions.com
gco.expediapartnersolutions.com
info.expediapartnersolutions.com
status.expediapartnersolutions.com
support.expediapartnersolutions.com
sure.expediapartnersolutions.com
taap-ui-bundles-test.expediapartnersolutions.com
taap-ui-bundles.expediapartnersolutions.com
taapacademy.expediapartnersolutions.com

WILDCARD

critical
566635048

[Hotwire iOS App](https://apps.apple.com/us/app/hotwire-last-minute-hotels/id566635048)

APPLE_STORE_APP_ID

critical
www.cheaptickets.com

URL

critical
www.expediapartnercentral.com

Partner Central provides tools and information to help Expedia's travel partners manage their listings on Expedia's marketplace. You should be able to sign up, but not to list a non-existent property due to Expedia's verification mechanisms.

We are interested in any security issues you may discover along the way that pertains to unauthorized access to or modification of data about users, travelers, financial settings, credit cards, rates, occupancy & promotions.

URL

critical
com.hotwire.hotels

[Hotwire Android App](https://play.google.com/store/apps/details?id=com.hotwire.hotels)

GOOGLE_PLAY_APP_ID

critical
427916203

Expedia iOS App

https://apps.apple.com/us/app/expedia-hotels-flights-car/id427916203

APPLE_STORE_APP_ID

critical
*.wotif.com

Some subdomains are owned by third parties and are therefore out of scope and ineligible for a bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

**Out of scope subdomains:** - groups.wotif.com, link.wotif.com, res.ac.wotif.com, smobile.wotif.com, w.smobile.wotif.com

WILDCARD

critical
com.vrbo.android

[VRBO Android App](https://play.google.com/store/apps/details?id=com.vrbo.android)

GOOGLE_PLAY_APP_ID

critical
*.travelocity.ca

Some subdomains are owned by third parties and are therefore out of scope and ineligible for a bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

*Out of scope subdomains:* - click.e.travelocity.ca, fr.groups.travelocity.ca, groups.travelocity.ca, om.travelocity.ca, oms.travelocity.ca

WILDCARD

critical
www.hotwirepartnercentral.com

URL

critical
com.cheaptickets

This is the cheaptickets Android app

https://play.google.com/store/apps/details?id=com.cheaptickets

GOOGLE_PLAY_APP_ID

critical
www.wotif.com

URL

critical
com.hcom.android

[Hotels Android App](https://play.google.com/store/apps/details?id=com.hcom.android)

GOOGLE_PLAY_APP_ID

critical
www.abritel.fr

Out of scope subdomains: - https://www.abritel.fr/api/track

Note: We are requesting not to test this URL: https://www.abritel.fr/api/track.

URL

critical
*.lastminute.co.nz

Some subdomains are owned by third parties and are therefore out of scope and ineligible for a bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

**Out of scope subdomains:** - res.ac.lastminute.co.nz

Please note *.lastminute.com is NOT owned by Expedia Group and is out of scope.

WILDCARD

critical
www.fewo-direkt.de

URL

critical
com.orbitz

This is the Orbitz Android app

https://play.google.com/store/apps/details?id=com.orbitz

GOOGLE_PLAY_APP_ID

critical
www.bookabach.co.nz

URL

critical
*.carrentals.com

Some subdomains are owned by third parties and are therefore out of scope and ineligible for bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

**Out of scope subdomains**: - dbmanalytics.carrentals.com

WILDCARD

critical
www.expediataap.com

URL

high
www.expediapartnersolutions.com

URL

none
com.expedia.bookings

Expedia Android App

https://play.google.com/store/apps/details?id=com.expedia.bookings

GOOGLE_PLAY_APP_ID

critical
*.hotwire.com

Some subdomains are owned by third parties and are therefore *out of scope* and *ineligible for bounty*. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

**Out of scope subdomains**:partners.hotwire.com, press.hotwire.com, movableink.hotwire.com, affiliates.hotwire.com

WILDCARD

critical
com.ebookers

This is the ebookers Android app

https://play.google.com/store/apps/details?id=com.ebookers

GOOGLE_PLAY_APP_ID

critical
www.ebookers.fi

URL

critical
www.mrjet.se

URL

critical
www.expediacruises.com

URL

critical
284971959

https://apps.apple.com/us/app/hotels-com-book-your-hotel/id284971959

APPLE_STORE_APP_ID

critical
1245772818

https://apps.apple.com/us/app/vrbo-vacation-rentals/id1245772818

APPLE_STORE_APP_ID

critical
www.hotwire.com

URL

critical
www.flights.com

URL

critical
www.stayz.com.au

URL

critical
www.expedia-aarp.com

URL

critical
www.expediaagents.com

Testing has been temporarily suspended to prevent business disruptions.

URL

none
com.travelocity.android

This is the travelocity Android app

https://play.google.com/store/apps/details?id=com.travelocity.android

GOOGLE_PLAY_APP_ID

critical
531549799

This is the wotif iOS app

https://apps.apple.com/au/app/wotif-hotels-flights/id531549799

APPLE_STORE_APP_ID

critical
www.ebookers.com

URL

critical
483394780

This is the ebookers iOS app

https://apps.apple.com/us/app/ebookers-hotels-flights/id483394780

APPLE_STORE_APP_ID

critical
880759727

This is the cheaptickets iOS app

https://apps.apple.com/us/app/cheaptickets-hotels-flights/id880759727

APPLE_STORE_APP_ID

critical
284803487

This is the travelocity iOS app

https://apps.apple.com/us/app/travelocity-hotels-flights/id284803487

APPLE_STORE_APP_ID

critical
403546234

This is the Orbitz iOS app

https://apps.apple.com/us/app/orbitz-hotels-flights/id403546234

APPLE_STORE_APP_ID

critical
bookus.expediacruises.com

Testing has been temporarily suspended to prevent business disruptions.

URL

none
www.carrentals.com

URL

critical
*.lastminute.com.au

Some subdomains are owned by third parties and are therefore out of scope and ineligible for a bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.
*Out of scope subdomains:* - mi.lastminute.com.au, mtx.lastminute.com.au, smtx.lastminute.com.au

Please note *.lastminute.com is NOT owned by Expedia Group and is out of scope.

WILDCARD

critical
www.expediagroup.com

URL

critical
*.travelocity.com

Some subdomains are owned by third parties and are therefore out of scope and ineligible for a bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

**Out of scope subdomains:** - br.ac.travelocity.com, groups.travelocity.com, mi.travelocity.com, om.travelocity.com, oms.travelocity.com, thingstodo.travelocity.com, track.travelocity.com, view.e.travelocity.com

WILDCARD

critical
*.cheaptickets.com

Some subdomains are owned by third parties and are therefore out of scope and ineligible for a bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

**Out of scope subdomains:** - faq-lab.cheaptickets.com, faq.cheaptickets.com, groups.cheaptickets.com, link.mailer.cheaptickets.com, login.cheaptickets.com, mi.cheaptickets.com, refer.cheaptickets.com, secure.cheaptickets.com, track.cheaptickets.com

WILDCARD

critical
www.lastminute.com.au

URL

critical
www.expedia.com

Please note the only point-of-sale assets of www.expedia.com are in scope. This includes regional versions of www.expedia.com such as www.expedia.co.in and www.expedia.co.uk.

Other sub-domains are out of scope and ineligible for a bounty.

URL

critical
www.hotels.com

Please note only point of sale assets of www.hotels.com are in scope. This includes regional versions of www.hotels.com such as www.in.hotels.com, www.uk.hotels.com, and www.fr.hotels.com.

Other sub-domains are out of scope and ineligible for bounty.

URL

critical
www.vrbo.com

URL

critical
com.wotif.android

This is the wotif Android app

https://play.google.com/store/apps/details?id=com.wotif.android

GOOGLE_PLAY_APP_ID

critical
www.travelocity.ca

URL

critical
*.vrbo.com

**Out of scope subdomains**: li.vrbo.com, media.vrbo.com, om.vrbo.com, community.vrbo.com, trk.vrbo.com

WILDCARD

critical
www.orbitz.com

URL

critical
www.travelocity.com

URL

critical
www.lastminute.co.nz

URL

critical
*.expediacruises.com

**Testing has been temporarily suspended to prevent business disruptions. **

Some subdomains are owned by third parties and are therefore out of scope and ineligible for a bounty. Before submitting your report, please confirm that the asset you are testing does not appear in the Out of Scope list below.

**Out of scope subdomains:** - socialhub.expediacruises.com

WILDCARD

none