Agoda opens public bug bounty programme on HackerOne
Agoda has opened its HackerOne bug bounty programme to public researchers, with rewards of up to US$6,000.
Agoda has opened its bug bounty programme to public participation on HackerOne, giving security researchers a formal route to test its platform and report vulnerabilities.
Researchers who submit valid findings may receive rewards of up to US$6,000, depending on the severity of the issue. The public programme builds on Agoda’s private bug bounty programme, which the digital travel platform has operated since 2016.
Public access expands Agoda’s researcher pool
The programme covers Agoda’s core web services and APIs, including Agoda.com and the Agoda mobile application. It also sets guidelines for testing, reporting and responsible disclosure, with all testing required to remain within the defined scope and follow HackerOne’s responsible disclosure policies.
Agoda has worked with hundreds of researchers through its private programme and has run targeted hacking campaigns focused on priority testing areas. Moving the programme into a public format widens access to a broader group of ethical hackers, while keeping submissions within a structured reporting process.
Yaron Slutzky, Chief Information Security Officer at Agoda, described the move as a continuation of the company’s long-running work with the security research community.
“We’re inviting the global research community in because we believe open, collaborative relationships are how the best security work gets done,” he said.
Response times give researchers a clearer process
Agoda’s programme currently averages a first response time of 30 hours. It also has a time-to-triage of around five days, meaning the approximate time taken to review a submission and assess its severity.
Those figures give researchers a clearer expectation of how reports will be handled after submission. Agoda added that it has refined its bounty structure to remain competitive with industry benchmarks, with rewards assessed according to the severity level of each finding.
The programme is hosted on HackerOne, whose platform supports bug bounty programmes, vulnerability disclosure, agentic pentesting, AI red teaming and code security.
