Responsible Disclosure/Vulnerability Disclosure Policy
At Choice Hotels International, we appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us. In support, we have established a Responsible Disclosure Policy, also called a Vulnerability Disclosure Policy. We will mature and revise this policy as we move forward into the future; please continue to check here for updates.
Special Message to Security Researcher/Vulnerability Reporter Community
Thank you for notifying us about potential gaps in our security. We very much appreciate those of you who connect with us to rectify vulnerabilities to ensure the least amount of impact and risk to our stakeholder communities, and in support, we have a established a Responsible Disclosure/Vulnerability Disclosure Policy.
Legal Action
We will not pursue legal action, nor initiate a complaint to law enforcement, against the finder/researcher operating in good faith. However, Choice Hotels International reserves all legal rights in the event of non-compliance to the Guidelines for Operating in Good Faith follow included in the Policy.
Reward
Please note, Choice Hotels International does not currently offer a “bug bounty” program; thus, we extend no offer of compensation/reward or public recognition for submittal of potential vulnerabilities.
Guidelines for Operating in Good Faith
To promote the discovery and reporting of vulnerabilities, we ask that you:
- Be respectful of our existing applications; act to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service);
- Do not access or modify our data or our stakeholder’s data;
- Contact us immediately if you do encounter stakeholder data. Do not view, alter, destroy, save, share, store, transfer, or otherwise access or compromise the data, and please purge any local information upon reporting the vulnerability to us;
- If personal information (e.g., names, addresses, email addresses, loyalty account numbers, unique identifiers, credit card numbers) is encountered, please stop all activity and immediately contact Choice Hotels International;
- Do not generate fraudulent financial transactions;
- Do not participate in any activity that violates a) federal, state or international laws or regulations, or b) the laws or regulations of any country where i) assets, data, or systems reside, ii) data traffic is routed, iii) the researcher is conducting research activity, or iv) where data subjects reside;
- Share the security and/or privacy issue with us.
Responsible Disclosure/Vulnerability Disclosure Process: How to Submit a Vulnerability
To disclose a potential vulnerability, please email the Information Security and Privacy Teams: responsibledisclosure@choicehotels.com.
Submission Format
When reporting a potential vulnerability, please include a detailed description of the vulnerability: tools utilized, target, processes, and results. Please support your findings by attaching any pertinent artifacts used for discovery. Though not required for review and validation/verification of the vulnerability, if you have information regarding the remediation of the vulnerability, please share your proposed resolution.
Acknowledgement and Response
When a report is received by the Information Security Team, an acknowledgement will be sent in reply to the sender within five business days. A follow-on request for further information may be sent as needed. After validation/verification of a vulnerability, a follow-up reply will be sent to the sender.
Timeframe
Choice Hotels International will not negotiate in response to a threat (e.g., we will not negotiate under threat of withholding, or threat of releasing the vulnerability to the public). That said, we dedicate our resources to work with you and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public.
External Vulnerability Reporting
Reporting of vulnerability information to other third parties/vendors will be determined at the discretion of Choice Hotels International.
Out of Scope
The following are out of scope for submittal under the Responsible Disclosure Policy. Out-of-scope vulnerabilities include:
- Social Engineering, Such as Attempts to Steal Cookies, Fake LogIn Pages to Collect Credentials, and Phishing
- Resource Exhaustion Attacks
- Physical Testing
- Denial of Service Attacks