Legal
8 min read

Vulnerability Disclosure Program

At Goki, our top priority is to ensure the protection of our guest and customer data. Our information security program enables this protection and puts us in a position to continually improve our approach.
Last updated on
17 January 2024

Purpose

The purpose of Goki's Vulnerability Disclosure Program is to encourage responsible reporting of security vulnerabilities in Goki guest properties, mobile applications, or company websites, dashboard and services. Reports can be sent to security@goki.travel and should include details of the vulnerability and a proof of concept. We value the contributions of independent security researchers and bug reporters in improving security and are committed to working with security researchers to verify and address these potential vulnerabilities.

The program has clear rules and guidelines to follow, including avoiding any malicious or unauthorised actions and respecting privacy and laws. Only eligible, verifiable vulnerabilities that meet the criteria set by the company will qualify for a reward, and the first reporter will receive recognition for their contribution to the company's security.

It's important to note that if you are a current customer or guest of Goki and suspect any unauthorised activity or fraudulent behaviour, the first step should be to contact Goki's support team immediately at the provided link https://support.goki.travel/en/. If you believe you have found a security vulnerability, please follow the guidelines outlined in the policy and ensure that you are acting in good faith and not violating any privacy or legal regulations. Goki will provide a safe harbour for security researchers who follow the policy and act responsibly.

Testing Environments

Our test environment is set-up to ensure that the privacy and safety of our guests is not compromised and that there is no disruption to the normal functioning of our services. Any violation of this policy could result in legal and/or administrative action against the violator. It is important to note that only authorised and approved testing is allowed and that all testing should be performed with prior written consent from Goki.

Reporting a Security Vulnerability

Sharing of vulnerability details outside of our formal reporting process is not permitted and will not result in acceptance by Goki of your vulnerability report.

Policy

Goki will investigate all legitimate reports and make every effort to quickly correct any vulnerability.

We ask in return that you:

Provide details of the vulnerability, including information needed to reproduce and validate it, when reporting a potential security issue to Goki. This will help the Goki Security Team to quickly and effectively verify and address the vulnerability.

Allow Goki time to fix the vulnerability before it becomes public knowledge, which could potentially result in harm to Goki's customers or systems. By giving Goki a reasonable amount of time to fix the issue, security researchers are helping to ensure that the vulnerability is remedied before it can be exploited by malicious actors.

Security researchers are expected to act in good faith and avoid causing harm to Goki's systems, data, and guests while conducting vulnerability testing.

Program Rules

Goki encourages the responsible and ethical discovery and reporting of vulnerabilities. The following conduct is expressly prohibited:

- Any unauthorised access to data

- Violations of law, including but not limited to hacking, cracking, phishing, brute force attacks, and social engineering

- Destruction of data

- Interruption or degradation of Goki's services

- Privacy violations, including but not limited to accessing or collecting personal data without express permission

- Physical attacks on Goki's facilities or infrastructure

- Denial of Service (DoS) attacks

- Spamming or other malicious activities

- Engaging in any activity that creates a risk to the safety or well-being of Goki's guests or employees

- Using exploits to jump from one system to another within Goki's infrastructure

- Engaging in any activity that otherwise interferes with the normal operations of Goki's systems or services.

In Scope Targets

- Goki's public-facing web and mobile applications.

- APIs and other back-end services that support Goki's applications and services.

- Infrastructure and networks that support Goki's applications and services.

Note: The list of in-scope targets is subject to change, and Goki reserves the right to modify it at any time.

Recognition & Reward

Goki may offer up to $1000 at the discretion of Goki for new discoveries of a critical nature. Please note that the reward amount is discretionary and is based on the severity and impact of the vulnerability reported. Goki reserves the right to make the final decision on all rewards and to modify the reward program at any time.

‍‍