Responsible Disclosure Policy

If you are a security researcher and have discovered a security vulnerability in one of Travelport’s services or sites, thank you for disclosing it to us in a responsible manner. We recognize the invaluable role security researchers can play in enhancing systems and are committed to collaborating to address vulnerabilities responsibly.

Scope

This policy applies to the identification of security vulnerabilities within Travelport’s services, platforms, websites and applications.

Good faith reporting

Please note, Travelport does not currently operate a “bug bounty” program, and we do not offer compensation, reward or public recognition for submissions of potential vulnerabilities.

Reporting guidelines

To promote the discovery and reporting of vulnerabilities, we ask you to:

  • Be respectful of our existing applications; act to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
  • Do not access or modify our data or our stakeholder’s data
  • If personal information (e.g., names, addresses, email addresses, unique identifiers, credit card numbers) is encountered, please stop all activity and immediately contact Travelport
  • Do not generate fraudulent financial transactions
  • Share the security issue with us

How to Report

Please email your findings to responsibledisclosure@travelport.com
with the following information:

  • A detailed description of the vulnerability (tools utilized, target, processes, and results)
  • Steps to reproduce the issue, including technical evidence, if available
  • Your contact information for follow-up

Commitment to Security Researchers

We will acknowledge your submission within 10 business days and we may follow up with you to ask for further information .

Legal action

We will not take legal action against researchers who follow this policy in good faith and do not engage in malicious activity or compromise user data. Activities that violate this policy or intentionally damage Travelport’s systems, data, or reputation are not protected.

Out of scope

The following are out of scope vulnerabilities for submittal under this Responsible Disclosure Policy:

  • Social engineering, such as attempts to steal cookies, fake login pages to collect credentials, and phishing
  • Resource exhaustion attacks
  • Physical testing
  • Denial of service attacks
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software
  • Systems not owned, operated, or controlled by Travelport

June 2025

Back To Top