HomeResponsible Disclosure Policy

Responsible Disclosure Policy

At Choice Hotels International, we appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us. In support, we have established a Responsible Disclosure Policy, also called a Vulnerability Disclosure Policy.  We will mature and revise this policy as we move forward into the future; please continue to check here for updates.

Special Message to Security Researcher/Vulnerability Reporter Community

Thank you, in advance, for notifying us regarding potential gaps in our security.  We appreciate those of you who partner with us to rectify vulnerabilities to ensure the least amount of impact and risk to our stakeholder communities. Therefore, you will see, included in our policy, our request to you for your assistance in the troubleshooting/remediation of those gaps and our request that you share your proposed resolution.

We will not pursue legal action, nor initiate a complaint to law enforcement, against the finder/researcher operating in good faith.  However, Choice Hotels International reserves all legal rights in the event of noncompliance to the Guidelines for Operating in Good Faith that follow.

Reward

Please note, Choice Hotels International does not currently offer a “bug bounty” program; thus, we extend no offer of compensation/reward or public recognition for submittal of potential vulnerabilities.

Guidelines for Operating in Good Faith

To promote the discovery and reporting of vulnerabilities, we ask that you:

  • Be respectful of our existing applications; act to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service);
  • Do not access or modify our data or our stakeholder’s data;
  • Contact us immediately if you do encounter stakeholder data. Do not view, alter, destroy, save, share, store, transfer, or otherwise access or compromise the data, and please purge any local information upon reporting the vulnerability to us;
  • If personal information (e.g., names, addresses, email addresses, loyalty account numbers, unique identifiers, credit card numbers) is encountered, please stop all activity and immediately contact Choice Hotels International;
  • Do not generate fraudulent financial transactions;
  • Do not participate in any activity that violates a) federal, state or international laws or regulations, or b) the laws or regulations of any country where i) assets, data, or systems reside, ii) data traffic is routed, iii) the researcher is conducting research activity, or iv) where data subjects reside;
  • Share the security and/or privacy issue with us.

Responsible Disclosure/Vulnerability Disclosure Process: How to Submit a Vulnerability

To disclose a potential vulnerability, please email the Information Security and Privacy Teams:  [email protected].

Submission Format

When reporting a potential vulnerability, please include a detailed description of the vulnerability: tools utilized, target, processes, and results. Please support your findings by attaching any pertinent artifacts used for discovery.  Though not required for review and validation/verification of the vulnerability, if you have information regarding the remediation of the vulnerability, please share your proposed resolution.

Acknowledgement and Response

When a report is received by the Information Security Team, an acknowledgement will be sent in reply to the sender within five business days. A follow-on request for further information may be sent as needed. After validation/verification of a vulnerability, a follow-up reply will be sent to the sender.

Timeframe

Choice Hotels International will not negotiate in response to a threat (e.g., we will not negotiate under threat of withholding, or threat of releasing the vulnerability to the public).  That said, we dedicate our resources to work with you and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public.

External Vulnerability Reporting

Reporting of vulnerability information to other third parties/vendors will be determined at the discretion of Choice Hotels International.

Out of Scope

The following are out of scope for submittal under the Responsible Disclosure Policy. Out-of-scope vulnerabilities include:

  • Social Engineering, Such as Attempts to Steal Cookies, Fake LogIn Pages to Collect Credentials, and Phishing
  • Resource Exhaustion Attacks
  • Physical Testing
  • Denial of Service Attacks

 

REV 09/03/2019