Bug bounty

Hello security researcher! Thanks for considering using your time to help us improve our security.

We don't have an official bug bounty program but do give rewards for disclosing security vulnerability on a case by case basis.

Please use https://app.test.makeplans.net for testing. Do NOT use a production account! Please limit use of any automatic vulnerability scanners.

Report any findings to us.

For a reference for what we do not consider to be non-qualiyfing please see https://bughunters.google.com/about/rules/google-friends/4849867320328192/cloud-vulnerability-reward-program-rules#non-qualifying-vulnerabilities

We respect the time you use to test our security and will treat you with respect. But please also respect our time. We receive many requests and demand for bug bounty compensation that is not really any security threat. Often such requests stems from automated tools and the researcher fails to understand what is reported (hence it not being a security issue).

Note: we do have some known issues that we are aware of: all users have the same access, so user hijacking within the same account is a limited issue. We offer ways to customise the booking site with JavaScript (hence the user hijacking with XSS). But there is no way for a non-user to do this.

If you have any questions please contact us.