Agoda launches public bug bounty with USD $6,000 reward

Agoda has launched a public bug bounty programme on HackerOne, offering rewards of up to USD $6,000 for validated security findings.

The move expands a private bug bounty programme the travel platform has run since 2016. By shifting to a public model, Agoda is inviting a broader group of independent security researchers to test defined parts of its digital services and report vulnerabilities through a formal process.

The programme covers Agoda's core web services, application programming interfaces and mobile app, including Agoda.com. Researchers must stay within the published scope and follow responsible disclosure rules.

The public listing on HackerOne gives researchers a single reference point for testing rules, reporting requirements and disclosure standards. Agoda will use the platform to manage submissions, communicate with researchers and assess reports that qualify for rewards.

Payouts will depend on the severity of each validated report, with the top reward set at USD $6,000. The structure is intended to give researchers clarity on participation while helping Agoda's security team review and rank findings.

Long-running scheme

Agoda has worked with hundreds of researchers since the private programme began nearly a decade ago. It has also run targeted hacking campaigns focused on priority areas and adjusted bounty levels over time in line with wider market benchmarks.

Performance metrics from the existing scheme show an average first response time of 30 hours and an average time to triage of about five days. Those figures indicate how quickly Agoda acknowledges incoming reports and moves them into assessment.

Agoda described the public launch as an extension of an established security process rather than a new initiative built from scratch. Opening access to HackerOne's broader researcher community is intended to widen the range of technical perspectives applied to its systems while keeping the same rules on scope and disclosure.

Agoda operates a travel marketplace that includes more than six million hotels and holiday properties, along with flights, activities and other services. Its customer-facing services are available through its website and mobile app, making online security a central operational issue for the business.

Yaron Slutzky, Chief Information Security Officer at Agoda, commented on the change in approach.

"We've spent nearly ten years building a security program we're genuinely proud of, one that researchers want to engage with and that our team is equipped to support. Opening the program to the wider security community is the next step in that journey. We're inviting the global research community in because we believe open, collaborative relationships are how the best security work gets done, especially as companies across all industries work harder to combat the rise in criminal cyberattacks," said Yaron Slutzky, Chief Information Security Officer at Agoda.

Broader access

Public bug bounty programmes have become a common way for large consumer-facing companies to supplement internal security testing. They give outside researchers a defined route to flag flaws without resorting to informal contact channels, while setting out the conditions under which organisations will review reports and make payments.

For Agoda, the public launch gives greater visibility to a process that was previously limited to invited participants. Researchers can now review the in-scope assets, technical requirements and reporting procedures before carrying out any testing.

This approach is designed to reduce ambiguity. In practice, participants can see in advance which systems may be tested, how findings should be submitted and what disclosure standards apply.

HackerOne provides the infrastructure for that process, serving as the channel through which researchers and companies manage vulnerability reports. Agoda will use the platform to run the programme and determine which submissions are eligible for bounty payments.

Security focus

The public launch also reflects a wider trend among digital businesses facing sustained pressure from cyber threats. Travel platforms handle large volumes of customer and partner data, payments and account activity, making them regular targets for criminal attacks and frequent subjects of external security testing.

Agoda employs more than 7,000 people across 27 markets and is part of Booking Holdings. Its services are available in 39 languages, giving the company a broad global reach and a large digital footprint to protect.

The bug bounty scheme provides a formal route for security researchers to submit potential weaknesses for review by Agoda's internal team. Rewards will be tied to the severity of validated findings, and all testing must comply with the programme's published terms and responsible disclosure rules.