Hyatt Launches Public Bug Bounty Program: Q&A With CISO Benjamin Vaughn

0

Hyatt Hotels Corporation and its affiliates (“Hyatt”) comprise one of the world’s largest hospitality brands with more than 750 properties in more than 55 countries. Those properties and their more than 100,000 colleagues have hosted millions of guests around the globe. That all amounts to a lot of data to protect and defend on a daily basis.

On the 16th of January, Hyatt has launched its first public bug bounty program at HackerOne. To learn more about Hyatt’s program and the company’s commitment to security, we sat down with Hyatt’s Chief Information Security Officer Benjamin Vaughn. Take a look at what we learned:

Q: Why did Hyatt launch a bug bounty program?
A: Hyatt’s purpose – we care for people so they can be their best – guides every decision we make, and protecting the information we receive from our guests is a key part of bringing our purpose to life. Our cyber security department is consistently identifying new ways to further enhance our security and we believe a bug bounty program is a great way to look to the security research community for their expertise. The security of our guests and colleagues is our top priority, and Hyatt will continue to do everything we can to protect their information.

Q: Is this Hyatt’s first bug bounty program? If not, what were the results of the private program?
A: Following the recommendations of HackerOne, Hyatt ran an invitation-only version of the program for some time. We were very pleased with the results of the private program and this helped inform our decision to launch the program publicly.

Q: What Hyatt channels are available for hackers to test?
A:
Hyatt.com, world.hyatt.com, Hyatt mobile app (iOS and Android versions), and m.hyatt.com are available for testing. Full scope and guidance is available on our program page: https://hackerone.com/hyatt.

Q: Why did Hyatt choose HackerOne to manage its program? Did the Hyatt security team evaluate other vendors?
A:
Hyatt conducted a review of the bug bounty marketplace and also evaluated the merits of operating our own program. Based on the results of that review, we selected HackerOne, and we look forward to working with the HackerOne community. We chose HackerOne specifically because of their robust platform, integration possibilities and clear rating system for vulnerabilities.

Q: Anything to say directly to the hacker community?
A:
We thank the participants of our private program for their assistance and ask any new participants to stay in touch with us as they perform their research. Our best advice for the hacker community is to dive deep and discover interesting vulnerabilities. We are impressed when we receive creative vulnerabilities. We will be there to help!

Share.