Need Help?

Contact us

IATA’s Responsible Disclosure Policy is not a bug bounty program and therefore does not provide any kind of rewards for vulnerabilities or bugs found by the public. If you believe you have found a vulnerability on the website, an application, or a customer’s product, please be responsible and follow the instructions according to the policy. Please read all the instructions and information in the adjacent tabs before submitting anything to IATA.

Need Help?

Contact us

If you believe you have identified a vulnerability, please follow the steps below after reading all the available information in the subsequent tabs.

  • When reporting a potential security vulnerability, please include a detailed summary and all supporting information to aid us in understanding and reproducing the security vulnerability:
  • Type and class of vulnerability (XSS, buffer overflow, RCE, etc.)
  • Step-by-step instructions to reproduce the vulnerability
  • Proof-of-concept or exploit code
  • Potential impact of the vulnerability
  • Although not required for the submission, if you have information regarding a solution for the security vulnerability, please share your proposed solution with us

IATA expects you to follow these guidelines as a responsible disclosure security researcher:

  • You will not exploit any potential security vulnerability for any reason, including for financial or reputational gain,
  • You will not download or collect any proprietary or customer information
  • You will not degrade system security or performance
  • You will not generate fictional accounts or information and
  • You will at all times keep security vulnerability information that you may discover confidential and private, revealing it only to IATA following IATA’s specified submission process.

The following points are considered out-of-scope activities and should be avoided by security researchers to prevent any legal action:

  • Exploitation of any security vulnerability that you identify
  • Engaging in social engineering or phishing of IATA employees, customers or business         partners, including sending fake emails or using fake login pages for the purpose of collecting login credentials
  • Misappropriation of login credentials
  • Denial of Service (DoS) testing
  • Testing of third-party services or applications that interface with IATA Assets
  • Generating fraudulent financial transactions
  • Attempting to misappropriate cookies

Contact us

All communications and data should be sent to information.security@iata.org