Southeast Asia-focused tourism platform Agoda has launched a public bug bounty program on HackerOne, inviting security researchers globally to test its platform and offering rewards of up to $6,000 based on the severity of valid findings.

In a statement on Monday, Agoda said the program covers its core web services and APIs, including Agoda.com and its mobile application, and builds on a private bug bounty program dated since 2016. The move to a public program expands access to a broader global community of ethical hackers.

Yaron Slutzky, Chief Information Security Officer at Agoda, said Agoda has spent nearly ten years building a security program. Opening it to the wider security community reflects a belief that open, collaborative relationships are how the best security work gets done, the executive added.

Since the launch, Agoda has worked with hundreds of researchers, run targeted hacking campaigns focused on priority testing areas, and refined its bounty structure to remain competitive. The program currently averages a first response time of 30 hours and a time-to-triage of around five days.

All testing must be conducted within defined scope and in accordance with HackerOne’s responsible disclosure policies.

No ‘OpenClaw strategy’ for Agoda for the moment due to security risks, says CTO