Digital travel platform Agoda has launched a public Bug Bounty Program on HackerOne, inviting security researchers to pressure test its platform. Researchers who discover valid findings will receive rewards of up to $6,000, based on the severity of the finding.
Agoda has operated a private bug bounty program since 2016. The move to a public program on HackerOne, whose H1 Platform powers continuous threat exposure management for the tech industry, expands access to a broader global community of ethical hackers and builds on years of structured collaboration with the security research community. The program covers Agoda’s core web services and APIs, including Agoda.com and Agoda’s mobile application, and sets clear guidelines for testing, reporting, and responsible disclosure.
Yaron Slutzky, Chief Information Security Officer at Agoda, said:
“We’ve spent nearly ten years building a security program we’re genuinely proud of, one that researchers want to engage with and that our team is equipped to support. Opening the program to the wider security community is the next step in that journey. We’re inviting the global research community in because we believe open, collaborative relationships are how the best security work gets done, especially as companies across all industries work harder to combat the rise in criminal cyberattacks.”
Since launching the private program, Agoda has worked with hundreds of researchers, run targeted hacking campaigns to focus on testing priority areas, and refined its bounty structure to remain competitive with industry benchmarks. The program currently averages a first response time of 30 hours and a time-to-triage of around 5 days, reflecting the security team’s investment in fast, transparent engagement with researchers.
Bounty awards are assessed based on the severity level of each submission. All testing must be conducted within the defined scope and in accordance with HackerOne’s responsible disclosure policies.
