Vulnerability Disclosure Policy

Last Updated: May 14, 2026
Status: Active

1. Introduction and Commitment

At Global Hotel Alliance (GHA), the security of our guests' information and the integrity of our booking systems are our top priorities. We recognise the vital role that independent security researchers play in the internet ecosystem. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our process for how to submit discovered vulnerabilities to us.

2. Authorisation (Safe Harbor)

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorised. We will not take any legal action against you or request that law enforcement investigate you.

^{Safe Harbor Statement: GHA will not initiate legal action against researchers for penetrating or attempting to penetrate our systems, provided they adhere to the guidelines outlined below and do not cause harm to GHA, its member brands, or its guests.}

3. Scope

This policy applies to the following systems and services managed by GHA.

In-Scope Assets

• *.ghadiscovery.com
• *.ghadiscovery.cn
• GHA DISCOVERY Mobile Applications (iOS and Android)
• GHA Booking API Endpoints
• *.gha.com
• GHA WeChat Mini Program
• GHA RedNote Mini Program

Out-of-Scope Assets

• Physical Property Security: Do not attempt physical security attacks at member hotel locations.
• Third-Party Providers: Any service not directly hosted by GHA (e.g., individual hotel brand websites not under the GHA/DISCOVERY domain).
• Social Engineering: No phishing or pretexting against GHA employees or hotel staff.

4. Submission Guidelines

To maintain the safety of our guests and systems, researchers must:

• Notify us immediately upon discovery of a potential vulnerability.
• Avoid privacy violations, destruction of data, and interruption or degradation of our services (e.g., No DDoS).
• Only interact with accounts you own or have explicit permission from the account holder to test.
• Provide a detailed summary: Include proof-of-concept (PoC) scripts, screenshots, or clear steps to reproduce the issue.

5. Prohibited Actions

The following actions are strictly prohibited and will void your Safe Harbor protection:

1. Exfiltrating, downloading, or "dumping" guest PII or credit card data.
2. Executing Denial of Service (DoS or DDoS) attacks.
3. Posting, transmitting, or linking to malicious software.
4. Publicly disclosing the vulnerability before GHA has had a reasonable time to remediate (standard 90-day window).

6. How to Report a Vulnerability

Do not contact our SOC or individual hotel front desks. All reports must be submitted through our centralised vulnerability disclosure intake:

• Primary Channel: [email protected]
• Required Format:
  *Subject: [Vulnerability Report] - [Type of Bug] - [Affected Asset]
  • Body: Description of the impact, steps to reproduce, and your contact information.
  • Encryption: Please use our PGP Key [Link/ID] for sensitive attachments.

7. Our Commitment to You

When you report a vulnerability in accordance with this policy, we commit to:

• Acknowledgement: We will acknowledge receipt of your report within 3 business days.
• Transparency: We will keep you informed of our progress as we investigate and remediate the issue.
• Recognition: If you are the first to report a unique, validated vulnerability, we will (at your request) provide public recognition on our "Security Researcher Hall of Fame."

Executive Summary for Implementation

• Legal Review: Our legal counsel must vet the "Safe Harbor" language to ensure it aligns with the jurisdictions where GHA operates.
• Triage: This inbox will be monitored by the Cybersecurity Lead, not the general IT helpdesk, to ensure technical competence in the initial response.
• Bounty Status: Currently, this is a Disclosure Only policy. We are not offering monetary rewards (Bug Bounties) at this stage.