skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

Skyscanner Safeguards Traveler Data With Bug Bounty Program

With the rise of price comparison sites, customers are always on the hunt for a bargain. Skyscanner shows travelers all the options out there and now even allows travelers to book directly on their site. In doing so, Skyscanner’s priority is protecting any personal data and data shared with the customer’s selected travel provider.

Skyscanner is a pioneering digital travel marketplace that allows customers to find and book great deals on flights, hotels, and car rentals through its app or website. Travelers can book direct with Skyscanner via Skyscanner’s own secure booking flow or book with a partner, either staying within Skyscanner, or being redirected to the partner’s website. The company also shares inspiring travel features and provides a platform for customers to keep their travel plans, payment details, and loyalty points in one convenient place.

While storing personal details and payment information gives customers faster check-out times and a more personalized experience, these services rely on Skyscanner’s dedication to protecting their data from a security breach. “Our goal is to make travel less stressful for our customers. That’s why we go the extra mile to ensure their data is secure and not vulnerable to cyber-attacks,” explains Alex Harriss, Senior Security Engineer at Skyscanner.

The company has a fast and comprehensive cybersecurity strategy that includes continuous testing. “We’re constantly improving our platform to make sure it’s not vulnerable to threats such as exfiltration attacks, card skimming, and fraud. We wanted to broaden our visibility beyond pen-testing to give us greater agility and ensure issues don’t slip through undetected,” comments Christian Martorella, Security Engineering lead at Skyscanner.

Crowd-sourcing: A faster approach to security

To support its growing security team, Skyscanner implemented a bug bounty program with Bugcrowd. “The bug bounty program allows us to have eyes on new features as soon as they’re implemented. It helps us detect issues quickly that aren’t picked up by our other security processes,” says Martorella. “The coverage and scale of crowd-sourced researchers means we can develop at a much faster pace, and with Bugcrowd dealing with the initial triage we’re free to focus solely on valid submissions.”

Bugcrowd researchers thoroughly test the company’s two mobile apps and the website for issues and vulnerabilities. Unlike many bug bounty programs, Skyscanner pays higher rewards for findings in its predefined focus areas for all submissions, regardless of priority ratings. It also actively encourages researchers to do reconnaissance of the whole platform, including all its subdomains. “We want clear, detailed submissions that can be easily replicated. Researchers with experience of ecommerce flows and a creative flair are invaluable to us,” says Harriss.

Storage and retrieval of app data is one of the core focus areas of the program and earns researchers a higher bounty. “Magecart attacks, personal data exfiltration, and account takeovers are a concern in the travel industry, so we’re particularly interested in vulnerability reports relating to those areas to keep our customers safe,” comments Martorella.

Bugcrowd is a great partner for us—the researchers are like an extension of our own security team. Working together we can reduce duplication, coordinate responses, and continuously improve the quality and quantity of submissions. A crowd-sourced approach to security helps us to innovate faster and safeguard customer trust and our reputation.”

Alex Harriss, Senior Security Engineer, Skyscanner

Identifying preventable issues and speeding up innovation

With a whole crowd of researchers testing redirect flows, the booking platform, user account profiles, and the Partner Portal, the security team has been able to quickly identify recurring issues and put in place processes to prevent them. For example, when the program was launched, researchers were submitting reports on misconfigured S3 buckets. Now, having taken steps to address the root cause of the problem, there are very few reports relating to this issue.

“Bugcrowd is a great partner for us—the researchers are like an extension of our own security team. Working together we can reduce duplication, coordinate responses, and continuously improve the quality and quantity of submissions,” comments Harriss. “A crowd-sourced approach to security helps us to innovate faster and safeguard customer trust and our reputation.”

To find out more about Skyscanner visit www.skyscanner.net.

More about the interviewees

Christian Martorella is the Security Engineering Lead in Skyscanner. He has offensive and defensive experience, with interest in Security Automation, and making security friendly and frictionless for users and Engineers.

Alex Harriss is a Senior Security Engineer at Skyscanner and heads up its Product Security team. He has experience in web application security and manages Skyscanner’s bug bounty programme with his team.

Back To Top