1. Home
  2. Bug Bounty Programs
  3. Hyatt Hotels
HackerOne · Bug Bounty

Hyatt Hotels Bug Bounty Program

Complete guide to Hyatt Hotels's bug bounty program on HackerOne. View in-scope assets, reward amounts, response times, and tips for finding vulnerabilities.

Program Overview

Hyatt Hotels runs a bug bounty program on HackerOne. The program has 63 in-scope assets and is managed by HackerOne's triage team.

63
In-Scope Assets
3h
Avg Response
100%
Efficiency
6d
Avg Bounty Time
73d
Avg Resolve

In-Scope Assets

AssetTypeMax SeverityEligible
140.95.0.0/16CIDRCriticalBounty
199.66.248.0/22CIDRCriticalBounty
213.139.133.32/28CIDRCriticalBounty
476639005APPLE_STORE_APP_IDCriticalBounty
assets.hyatt.comURLCriticalBounty
blueskytours.globalbookingsolutions.comURLCriticalBounty
book.applevacations.comURLCriticalBounty
book.beachbound.comURLCriticalBounty
book.booktandl.comURLCriticalBounty
book.cheapcaribbean.comURLCriticalBounty
booking.applevacations.comURLCriticalBounty
booking.beachbound.comURLCriticalBounty
booking.cheapcaribbean.comURLCriticalBounty
com.HyattGOOGLE_PLAY_APP_IDCriticalBounty
confluence.hyattdev.comURLCriticalBounty
ebsext.oft.hyatt.comURLCriticalBounty
hyatt.comURLCriticalBounty
jira.hyattdev.comURLCriticalBounty
login.www.vaxvacationaccess.comURLCriticalBounty
meetings.hyatt.comURLCriticalBounty
mobileapp.hyatt.comURLCriticalBounty
new.www.vaxvacationaccess.comURLCriticalBounty
newsroom.images.hyatt.comURLCriticalBounty
plannerrequest.hyatt.comURLCriticalBounty
public.hyatt.comURLCriticalBounty
res.blueskytours.globalbookingsolutions.comURLCriticalBounty
res.funjet.comURLCriticalBounty
res.hyattinclusivecollection.comURLCriticalBounty
res.secretsresorts.comURLCriticalBounty
res.skyteam.comURLCriticalBounty
res.universalorlandovacations.comURLCriticalBounty
res.vacations.buschgardens.comURLCriticalBounty
res.vacations.discoverycove.comURLCriticalBounty
res.vacations.seaworld.comURLCriticalBounty
res.vacations.sesameplace.comURLCriticalBounty
res.vacations.united.comURLCriticalBounty
res.vacations.universalstudioshollywood.comURLCriticalBounty
reservations.wynnvacations.comURLCriticalBounty
rezagent.triseptsolutions.comURLCriticalBounty
roominglist.hyatt.comURLCriticalBounty
salesportal.hyatt.comURLCriticalBounty
scapegoat.hyatt.comURLCriticalBounty
shop.wyndhamvacationownership.trisept.travelURLCriticalBounty
soaext.oft.hyatt.comURLCriticalBounty
sso.oft.hyatt.comURLCriticalBounty
upsell.hyatt.comURLCriticalBounty
vacations.travelimpressions.comURLCriticalBounty
vacations.united.comURLCriticalBounty
vacations.universalstudioshollywood.comURLCriticalBounty
world.hyatt.comURLCriticalBounty

Showing 50 of 63 in-scope assets. View all on HackerOne.

Tips for Hacking Hyatt Hotels

  1. Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
  2. Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
  3. Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
  4. Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
  5. Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking Hyatt Hotels?

Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does Hyatt Hotels pay bounties?

Yes, Hyatt Hotels offers monetary rewards for valid security vulnerabilities.

What types of vulnerabilities does Hyatt Hotels accept?

Hyatt Hotels accepts reports for vulnerabilities found in their 63 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.

Similar Programs on HackerOne

TomTom

HackerOne · VDP · 4 assets

Tor

HackerOne · Bug Bounty · 2 assets

UPS VDP

HackerOne · VDP · 3 assets