At Choice Hotels International, we appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us. In support, we have established a Responsible Disclosure Policy, also called a Vulnerability Disclosure Policy.  We will mature and revise this policy as we move forward into the future; please continue to check here for updates.

Special Message to Security Researcher/Vulnerability Reporter Community

Thank you, in advance, for notifying us regarding potential gaps in our security.  We appreciate those of you who partner with us to rectify vulnerabilities to ensure the least amount of impact and risk to our stakeholder communities. Therefore, you will see, included in our policy, our request to you for your assistance in the troubleshooting/remediation of those gaps and our request that you share your proposed resolution.

We will not pursue legal action, nor initiate a complaint to law enforcement, against the finder/researcher operating in good faith.  However, Choice Hotels International reserves all legal rights in the event of noncompliance to the Guidelines for Operating in Good Faith that follow.

Reward

Please note, Choice Hotels International does not currently offer a “bug bounty” program; thus, we extend no offer of compensation/reward or public recognition for submittal of potential vulnerabilities.

Guidelines for Operating in Good Faith

To promote the discovery and reporting of vulnerabilities, we ask that you:

Responsible Disclosure/Vulnerability Disclosure Process: How to Submit a Vulnerability

To disclose a potential vulnerability, please email the Information Security and Privacy Teams:  responsibledisclosure@choicehotels.com.

Submission Format

When reporting a potential vulnerability, please include a detailed description of the vulnerability: tools utilized, target, processes, and results. Please support your findings by attaching any pertinent artifacts used for discovery.  Though not required for review and validation/verification of the vulnerability, if you have information regarding the remediation of the vulnerability, please share your proposed resolution.

Acknowledgement and Response

When a report is received by the Information Security Team, an acknowledgement will be sent in reply to the sender within five business days. A follow-on request for further information may be sent as needed. After validation/verification of a vulnerability, a follow-up reply will be sent to the sender.

Timeframe

Choice Hotels International will not negotiate in response to a threat (e.g., we will not negotiate under threat of withholding, or threat of releasing the vulnerability to the public).  That said, we dedicate our resources to work with you and ask that you allow us a reasonable amount of time for both the validation/verification and the resolution of the vulnerability before taking action to make it public.

External Vulnerability Reporting

Reporting of vulnerability information to other third parties/vendors will be determined at the discretion of Choice Hotels International.

Out of Scope

The following are out of scope for submittal under the Responsible Disclosure Policy. Out-of-scope vulnerabilities include:

REV 09/03/2019

Super Branding

Ascend Brochure

Partner Brochure