Priceline

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
336381998 APPLE_STORE_APP_ID critical
[iOS App](https://itunes.apple.com/us/app/priceline-hotel-travel-deals/id336381998?mt=8)
admin.rezserver.com URL high high high critical
**Policy Guidance** We are not currently providing credentials for this asset. **Rules of Engagement** - In request headers use 'hackerone-{your username}' for user-agent - Keep low volume of requests - Automated testing is not permitted - Do not Fuzz Contact forms - Do not Fuzz "Request Account Activation" & "Request Product Activation" - Do not Fuzz request for "Change Request under Sites" - Do not modify other hacker_* user accounts under Hacker one test account **Non-Qualifying Vulnerabilities and Exclusions** - CSRF
api.rezserver.com URL critical
**Rezserver API** _Policy Guidance_ We are not currently providing credentials for this asset. _Rules_ - Don't use automated tools or scanners - Don't DDoS _Out of scope vulnerabilities_ - Missing best practices in HTTP header configuration. - Any activity that could lead to the disruption of our service (DoS) - Missing best practices in SSL/TLS configuration - Account/email enumeration issues - Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly) - Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure _Endpoints out of scope_ - Hotel: BookRequest - Air: All endpoints - Car: All endpoints - Custom: All endpoints
com.priceline.android.negotiator GOOGLE_PLAY_APP_ID critical
cruises.priceline.com URL critical
reservations.rezserver.com URL critical
secure.rezserver.com URL critical
www.airportrentalcars.com URL critical
Please be careful with the APP. There is no rate control for the reservations! **Please avoid submitting multiple reservations!** **If you submit a reservation, please make sure you are cancelling it.**
www.bookingholdings.com URL low none medium high
www.priceline.com URL critical
www.priceline.com/vp-web/* OTHER critical
Path www.priceline.com/vp-web/* will be decommissioned soon so it is not eligible for bounty

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
www.airportrentalcars.com URL none
Airportrentalcars.com is current *not* in scope. Please do not test it.