1. Purpose & Commitment
Portal is building the universal infrastructure layer for physical access. The security of our API, SDKs, and data processing pipeline is our highest priority.
We recognize the vital role that security researchers and the ethical hacking community play in keeping systems safe. This Vulnerability Disclosure Programme (VDP) outlines how researchers can report vulnerabilities to us safely and securely.
If you believe you have found a security vulnerability in a Portal application or infrastructure, we encourage you to report it to us as quickly as possible.
2. Safe Harbor
Portal is committed to not pursuing legal action against researchers who:
- Conduct research without harming Portal, its customers, or its end users (guests).
- Do not compromise the privacy or safety of our customers or their guests.
- Adhere to the guidelines of this policy.
- Promptly report any vulnerability discovered.
If you follow these guidelines, we will consider your research to be authorized and will work with you to understand and resolve the issue quickly.
3. In-Scope Targets
We invite researchers to test the following assets:
- Core API:
api.tryportal.com(and associated endpoints). - Portal Dashboard: The web-based management platform for operators.
- Mobile SDKs: Our iOS and Android developer kits.
- Web Apps: Guest-facing web keys and check-in flows.
Out of Scope:
- Third-party PMS integrations (e.g., testing the Mews or Oracle API directly).
- Physical attacks against hardware installed at client properties (do not attempt to physically bypass locks at live hotels).
- Social engineering (phishing) of Portal staff or customers.
- Denial of Service (DoS) attacks.
4. Reporting a Vulnerability
Please submit your report via email to security@tryportal.com.
Your report should include:
- Description: The type of vulnerability (e.g., XSS, IDOR, SQLi) and the potential impact.
- Location: The specific URL, endpoint, or code snippet affected.
- Proof of Concept (PoC): Step-by-step instructions to reproduce the issue (screenshots or video are helpful).
- Severity: Your assessment of the risk level.
Note: Please do not disclose the vulnerability publicly until we have had a reasonable timeframe to remediate the issue.
5. Rules of Engagement
To protect our infrastructure and our customers' data, you must:
- Do no harm: Ensure your testing does not disrupt service or degrade the user experience.
- Respect Privacy: Never attempt to access, modify, or delete data belonging to a real customer or guest. If you discover PII (Personally Identifiable Information), stop testing immediately and report the finding.
- Use Test Accounts: Only test against accounts you own or have explicit permission to test.
6. Our Response
When you submit a report, Portal will:
- Acknowledge receipt of your report within 5 business days.
- Review the finding and verify the vulnerability.
- Keep you informed of the remediation status.
- Notify you when the fix is deployed.
7. Recognition & Rewards
Portal offers discretionary rewards for the responsible disclosure of critical security vulnerabilities.
- Rewards: Monetary bounties (up to £1,000 for critical severity) or Portal swag may be awarded based on the severity, impact, and novelty of the reported issue.
- Hall of Fame: Researchers who make significant contributions to our security may be listed in our Security Hall of Fame (with permission).
Note: Rewards are granted entirely at Portal’s discretion. High-volume, low-impact automated scan reports do not qualify.
8. Customer Support
This programme is for security researchers only.
- If you are a Portal Customer experiencing a login issue or suspected fraud, please contact our 24/7 support team at https://tryportal.com/support.
- If you are a Hotel Guest having trouble accessing your room, please contact the hotel front desk directly.
