Tickets Travel Network is one of the most distinctive and expansive travel distribution companies in the EMEA region. As a smart travel provider, we offer our customers wide range of products: flights, train and bus journeys.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://play.google.com/store/apps/details?id=ua.tickets.gd&hl=ukTickets.ua |
Android | Critical | Bounty |
https://apps.apple.com/ua/app/tickets-ua/id731435070Tickets.ua |
iOS | Critical | Bounty |
https://play.google.com/store/apps/details?id=kz.tickets.avia&gl=US&hl=ruTickets.kz |
Android | Critical | Bounty |
https://play.google.com/store/apps/details?id=kz.tickets.avia&gl=US&hl=ruTickets.kz |
iOS | Critical | Bounty |
https://play.google.com/store/apps/details?id=pl.tickets.avia&referrer=utm_source%3Dmainweb%26utm_medium%3Dbadge&hl=enTickets.pl |
Android | Critical | Bounty |
https://apps.apple.com/pl/app/tickets-pl/id1144507663?l=plTickets.pl |
iOS | Critical | Bounty |
https://play.google.com/store/apps/details?id=com.kissandfly.aviaKissandfly.com |
Android | Critical | Bounty |
https://apps.apple.com/us/app/kissandfly/id6499211323Kissandfly.com |
iOS | Critical | Bounty |
IN SCOPE VULNERABILITIES (MOBILE)
We are interested in the following vulnerabilities:
- Business logic issues
- Payments manipulation
- Remote code execution (RCE)
- Injection vulnerabilities (SQL, XXE)
- File inclusions (Local & Remote)
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information
- Server-Side Request Forgery (SSRF)
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Directory traversal
- Other vulnerability with a clear potential loss
OUT OF SCOPE VULNERABILITIES
- Attacks requiring physical access to a user's device
- Vulnerabilities that require root/jailbreak
- Vulnerabilities requiring extensive user interaction
- Exposure of non-sensitive data on the device
- Reports from static analysis of the binary without PoC that impacts business logic
- Lack of obfuscation/binary protection/root(jailbreak) detection
- Bypass certificate pinning on rooted devices
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack anaries
- Sensitive data in URLs/request bodies when protected by TLS
- Path disclosure in the binary
- OAuth & app secret hard-coded/recoverable in IPA, APK
- Sensitive information retained as plaintext in the device’s memory
- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
- Any kind of sensitive data stored in-app private directory
- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
- Shared links leaked through the system clipboard
- Any URIs leaked because a malicious app has permission to view URIs opened.
- Exposure of API keys with no security impact (Google Maps API keys etc.)
- ! Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services or infrastructure
- Avoid compromising any personal data, interruption or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Vulnerabilities found in any other regional domain with the same codebase will be considered the same vulnerability
- Only the first valid bug is eligible for the reward
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission