Agoda has launched a public bug bounty programme on HackerOne, opening its security testing efforts to the global research community and offering rewards of up to US$6,000 per valid finding based on severity.

The Singapore-headquartered digital travel platform had operated a private bug bounty programme since 2016. The transition to a public programme expands access to a broader pool of ethical hackers and covers Agoda’s core web services and APIs, including Agoda.com and its mobile application. Clear guidelines govern testing scope, reporting procedures, and responsible disclosure.

A Decade of Structured Security Collaboration

Since establishing its private programme, Agoda has engaged hundreds of researchers, run targeted hacking campaigns focused on priority areas, and refined its bounty structure to remain competitive with industry benchmarks. The programme currently averages a first response time of 30 hours and a time-to-triage of around five days.

Yaron Slutzky, Chief Information Security Officer at Agoda, said the move reflects the company’s confidence in its security programme and its commitment to collaborative defence.

“We’ve spent nearly ten years building a security program we’re genuinely proud of, one that researchers want to engage with and that our team is equipped to support. Opening the program to the wider security community is the next step in that journey. We’re inviting the global research community in because we believe open, collaborative relationships are how the best security work gets done, especially as companies across all industries work harder to combat the rise in criminal cyberattacks.”

HackerOne’s Role in Continuous Threat Exposure

HackerOne’s H1 Platform underpins the programme, combining agentic AI with a global community of security researchers to support continuous threat exposure management. The platform enables discovery, validation, prioritisation, and remediation of vulnerabilities across code, cloud, and AI systems. HackerOne counts industry leaders including Goldman Sachs, Uber, and the US Department of Defense among its clients, and was recognised in Gartner’s Emerging Tech Impact Radar: AI Cybersecurity Ecosystem report.

Bounty awards are assessed according to submission severity. All testing must be conducted within the defined scope and in compliance with HackerOne’s responsible disclosure policies. Researchers can participate at hackerone.com/agoda-public.

Agoda, part of Booking Holdings (Nasdaq: BKNG), employs more than 7,000 staff across 27 markets and operates a network of over six million hotels and holiday properties worldwide.