TripActions Bug Bounty Program

Terms of Service

Report Vulnerability Form

Terms of Service

Overview

TripActions, Inc. recognizes the importance of helping protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver on these ideals by continuously evaluating and testing the security of our software system and through the means of our Bug Bounty Program (“Program”).

Changes to these Terms

We may modify the terms of the Program or terminate this Program at any time. Changes made to the Program will not apply retroactively.

Participation Eligibility

This Program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.

Submissions of Reports

TripActions’ Bug Bounty Program is managed by a third party. Please report any vulnerabilities through the form submission (“Report”).

By submitting a Report, you (i) understand and acknowledge that TripActions may have developed or commissioned materials similar or identical to your Report, and you waive any claims you may have resulting from any similarities to your Report; (ii) understand that you are not guaranteed any compensation or credit for use of your Report; and (iii) represent and warrant that your Report is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Report to TripActions.

Confidentiality of Reports

We endeavor to address each Report in a timely manner. We require that Reports remain confidential and cannot be disclosed publicly or to any third parties, until we have investigated and resolved an issue you reported. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR A VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

License

TripActions is not claiming any ownership rights to your Report. However, by providing any Report to TripActions, you grant TripActions an irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in your Report to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of your Report. You agree to sign any documentation that may be required for us or our designees to confirm the rights you granted herein.

Bounty Payment

TripActions will determine rewards within the following ranges based on a number of criteria, including severity core. The payouts listed below represent typical amounts awarded per category, and TripActions reserves the right to decrease or increase any of them based on our own assessment of impact. Prior bounty amounts awarded are not precedent for future payments.

Severity Minimum Maximum Description
Critical $1,500 $2,000+ Vulnerability which can be used to compromise TripActions customer or employee data.
High $500 $1,500 Critical issues related to input validation, inadequate access management and others.
Medium $250 $500 Best-practices issues such as misconfiguration.
Low $0 $0 Good-to-know issues which are not the cause of any serious concerns or require immediate remediation.
Informational $0 $0 Informational finding with little to no impact.

TripActions has a rating methodology when calculating the overall severity ratings for each vulnerability reported, taking into account the following factors:

Exclusions

The following categories of reports are considered out of scope for this Program and will not be rewarded:

TripActions will have the right to determine severity classifications, report validity, duplications, exclusions, and out-of-scope bugs in its sole discretion.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM. TO REPORT A VULNERABILITY PLEASE VIEW THIS PAGE ON DESKTOP.