Section 1: Introduction
At Goki, the security of our guests, customers, and their data is fundamental to everything we build. We welcome responsible security research and are committed to working with the security community to identify and resolve vulnerabilities in our products and services.
This Vulnerability Disclosure Program (VDP) outlines how to report security vulnerabilities to us, what you can expect from us, and the rules of engagement.
If you are a Goki customer or guest and suspect unauthorised activity or fraud, please contact our support team at support.goki.travel rather than through this programme.
Section 2: Reporting a Vulnerability
Send your report to: security@goki.travel
Your report should include: a clear description of the vulnerability, the affected system or URL, step-by-step reproduction instructions, proof of concept (screenshots, logs, or video), and the potential impact as you understand it.
Please do not share vulnerability details outside of this reporting process. Public disclosure before a fix is available puts our customers at risk and will disqualify your report.
Section 3: What We Commit To
We will acknowledge your report within 3 business days. We will provide an initial assessment within 10 business days. We will keep you informed of remediation progress. We will not pursue legal action against researchers who follow this policy in good faith. We will credit you (if desired) when the vulnerability is resolved.
Section 4: Safe Harbour
Goki will not pursue civil or criminal action against security researchers who act in good faith and comply with this policy. We consider research conducted under this programme to be authorised under applicable computer fraud laws, provided you comply with the rules below. If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will make reasonable efforts to make it known that your actions were authorised.
Section 5: Scope
In scope:Goki public-facing web applications (gokitech.com, goki.travel), the PassLane platform (passlane.com), Goki mobile applications (iOS and Android), APIs and backend services supporting Goki products, and Goki IoT device firmware and communication protocols.
Out of scope:Third-party services and integrations not owned by Goki, physical attacks against Goki offices or data centres, social engineering of Goki staff or customers, denial of service (DoS/DDoS) attacks, and spam or phishing campaigns.
Goki reserves the right to modify the scope at any time.
Section 6: Rules of Engagement
When conducting security research under this programme, you must: only test against your own accounts or test accounts created for research purposes, avoid accessing, modifying, or deleting data belonging to other users, stop testing and report immediately if you encounter customer or guest personal data, not degrade the availability or performance of Goki services, not conduct testing against live guest properties or occupied hotel rooms, comply with all applicable laws, and give Goki reasonable time (minimum 90 days) to remediate before any public disclosure.
Section 7: Qualifying Vulnerabilities
We are particularly interested in: remote code execution, authentication or authorisation bypass, injection vulnerabilities (SQL, XSS, SSRF, etc.), insecure direct object references exposing customer data, privilege escalation, cryptographic weaknesses in device communication, and access control issues in the PassLane dashboard or API.
The following are generally not eligible: reports from automated scanning tools without a verified proof of concept, missing HTTP security headers without demonstrated impact, clickjacking on non-authenticated pages, rate limiting issues on non-critical endpoints, reports requiring unlikely user interaction, and previously reported or publicly known vulnerabilities.
Section 8: Recognition and Rewards
Goki may offer monetary rewards of up to $1,000 for qualifying vulnerabilities, based on severity and impact. Rewards are at Goki's sole discretion. The first reporter of a qualifying vulnerability receives priority. We also offer public acknowledgement (with your permission) on our security page.
Severity is assessed using the CVSS v3.1 framework as a guide: Critical (CVSS 9.0–10.0), High (CVSS 7.0–8.9), Medium (CVSS 4.0–6.9), and Low (CVSS 0.1–3.9).
Section 9: Contact
Security reports: security@goki.travel General support: support@goki.travel PGP key: available on request
