Security

Overview

This policy outlines the steps for reporting vulnerabilities to HolidayCheck. Please review this policy carefully before you test and/or report a vulnerability.

Rules of Engagement

The discovery and reporting of vulnerabilities can have civil and criminal consequences. The associated risks can be reduced if you follow these rules.


  1. Do not discuss the security vulnerability you have discovered with anyone other than HolidayCheck.

  2. Do not publicly disclose vulnerabilities found on our platform, unless given explicit permission by HolidayCheck.

  3. Once you have reported a vulnerability to HolidayCheck, do not repeatedly interact with the affected system.

  4. Do not leverage vulnerabilities to download, modify or delete any data beyond the minimum necessary actions to provide a proof of concept.

  5. Do not attempt to escalate privileges or explore a system beyond the minimum necessary to provide a proof of concept.

  6. Do not exfiltrate other users' data. Use only your own HolidayCheck account(s) for testing.

  7. Do not attempt to gain access to HolidayCheck systems using brute force or social engineering techniques.

  8. Do not use denial of service attacks.

  9. Do not attempt to install malware, viruses and/or malicious code.

How to report a vulnerability

Please report security issues to us on infosec@holidaycheck.com and in the following format.

  • Technical description of the vulnerability (including: Browser type, version and impacted platform URL(s)).

  • Sample code to demonstrate the vulnerability and/or detailed steps to reproduce.

  • Threat/risk assessment.

  • Date and time of discovery.

  • Contact information.

Please note that the channel here is for reporting undisclosed security vulnerabilities only and must not be used for any other support or information requests. Inquiries sent there that do not relate to undisclosed security vulnerabilities will not receive any response.

What can you expect in return?

  • HolidayCheck Security team will confirm and reply to your message within 5 workdays.

  • On a need basis, HolidayCheck will coordinate a disclosure together with the relevant partners and authorities within the legally required time frame.

Bug Bounty Program

HolidayCheck does not operate a bug bounty program at this time. Therefore, there will be no monetary or any other reward for your reported findings.