Priceline icon Priceline HackerOne

Target Policy
https://hackerone.com/priceline?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • https://www.priceline.com/pwd/v0/pcln-graphql/
    URL
    critical
  • www.priceline.com*
    URL
    critical
  • secure.rezserver.com
    URL
    critical
  • priceline.com
    URL
    critical
  • flyiin.com
    URL
    critical
  • 336381998

    [Priceline iOS App](https://apps.apple.com/us/app/priceline-hotel-travel-deals/id336381998)

    APPLE_STORE_APP_ID
    critical
  • ir.bookingholdings.com
    URL
    critical
  • bookingholdings-coe.com
    URL
    critical
  • admin.rezserver.com

    **Policy Guidance**
    We are not currently providing credentials for this asset.

    **Rules of Engagement**
    - In request headers use 'hackerone-{your username}' for user-agent
    - Keep low volume of requests - Automated testing is not permitted
    - Do not Fuzz Contact forms
    - Do not Fuzz "Request Account Activation" & "Request Product Activation"
    - Do not Fuzz request for "Change Request under Sites"
    - Do not modify other hacker_* user accounts under Hacker one test account

    **Non-Qualifying Vulnerabilities and Exclusions**
    - CSRF

    URL
    critical
  • api.rezserver.com

    **Rezserver API**
    _Policy Guidance_
    We are not currently providing credentials for this asset.

    _Rules_
    - Don't use automated tools or scanners
    - Don't DDoS

    _Out of scope vulnerabilities_
    - Missing best practices in HTTP header configuration.
    - Any activity that could lead to the disruption of our service (DoS)
    - Missing best practices in SSL/TLS configuration
    - Account/email enumeration issues
    - Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly)
    - Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure

    _Endpoints out of scope_
    - Hotel: BookRequest
    - Air: All endpoints
    - Car: All endpoints
    - Custom: All endpoints

    URL
    critical
  • reservations.rezserver.com
    URL
    critical
  • www.airportrentalcars.com


    Airportrentalcars.com is current *not* in scope. Please do not test it.

    URL
    none
  • com.priceline.android.negotiator
    GOOGLE_PLAY_APP_ID
    critical
  • www.priceline.com/vp-web/*

    Path www.priceline.com/vp-web/* will be decommissioned soon so it is not eligible for bounty

    OTHER
    none
  • availability.getaroom.com
    URL
    none
  • extranet.getaroom.com
    URL
    none
  • breadcrumb.getaroom.com
    URL
    none
  • supply.getaroom.com
    URL
    none
  • stockroom.production.getaroom.com
    URL
    none
  • www.bookingholdings.com
    URL
    none
  • www.priceline.com
    URL
    critical
  • press.priceline.com
    URL
    medium
  • www.getaroom.com
    URL
    critical
  • Penny

    https://www.priceline.com/penny

    AI_MODEL
    critical
  • cruises.priceline.com
    URL
    critical
Target Scope Domains
  • admin.rezserver.com
  • api.rezserver.com
  • bookingholdings-coe.com
  • cruises.priceline.com
  • flyiin.com
  • ir.bookingholdings.com
  • press.priceline.com
  • priceline.com
  • reservations.rezserver.com
  • secure.rezserver.com
  • www.getaroom.com
  • www.priceline.com
  • www.priceline.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-dnsenum-threaded
allsubs
2 weeks, 6 days ago
Finished
auto-dnsenum-threaded
  • Fleet: allsubs
  • Duration: 23.00 Minutes
  • Finished: 2 weeks, 6 days ago