By clicking “Sign up for free,” you agree to Engines Terms of Service and Privacy Policy.

Responsible Disclosure Policy

Welcome! You may be here because you’ve discovered a potential security issue, you’re looking for information about our responsible disclosure process, or you’re interested in whether we offer a whitehat bounty. We appreciate the time and effort that security researchers put into helping organizations identify and resolve vulnerabilities responsibly.

Before submitting a report, please review the responsible disclosure policy below. It explains what is in scope, how to contact us, what information to include, and the expectations we ask researchers to follow so we can investigate and respond appropriately.

Please remember that all vulnerability reports must be submitted to [email protected]. Reports sent to any other Engine email address, including individual employees or executives, will not be accepted or reviewed as part of our responsible disclosure process. This helps ensure reports reach the correct team quickly and can be handled through the proper security review workflow.

Effective Date: May 15, 2026

1. Introduction

HotelEngine, Inc., d/b/a Engine (“Engine,” “we,” “us,” or “our”) is committed to the security of its platform, products, and the data entrusted to us by our customers. We recognize that independent security researchers play an important role in identifying vulnerabilities and improving the security of the broader technology ecosystem.

This Responsible Disclosure Policy (“Policy”) establishes the framework under which Engine welcomes good-faith security research, describes how to report potential vulnerabilities, and sets out the commitments Engine makes to researchers who participate in good faith. This Policy is not a bug bounty program; no monetary compensation is offered.

2. Safe Harbor

Engine will not initiate or recommend civil or criminal legal action against any individual who discovers and reports a security vulnerability in good faith, strictly in accordance with this Policy. We consider security research conducted under this Policy to constitute authorized access under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and applicable federal and state computer fraud and unauthorized access statutes.

To qualify for safe harbor protection, a researcher must:

  • Comply with all requirements and restrictions set forth in this Policy;
  • Promptly report the vulnerability through the designated submission channel (Section 5);
  • Avoid accessing, modifying, storing, sharing, or destroying data beyond what is minimally necessary to demonstrate the existence of the vulnerability;
  • Not exploit the vulnerability for any purpose beyond demonstrating its existence to Engine; and
  • Cooperate with Engine’s security team during the investigation and remediation process.

Safe harbor does not apply to conduct that violates applicable law independent of computer access (e.g., physical intrusion, social engineering, or threats).

3. Scope

3.1 In-Scope Assets

The following Engine-owned assets are in scope for security research under this Policy:

  • engine.com and all subdomains (e.g., app.engine.com, api.engine.com)
  • Engine mobile applications (iOS and Android)
  • Engine’s publicly accessible APIs
  • Engine’s web-based customer and partner portals

If you are uncertain whether a particular asset is in scope, contact us at [email protected] before testing.

3.2 Out-of-Scope Assets

The following are explicitly out of scope. Testing against out-of-scope assets is not authorized and is not protected by safe harbor:

  • Engine X charge card network infrastructure, payment processing systems, and BIN-level controls (governed separately by PCI DSS obligations and Engine’s banking partner agreements);
  • Third-party systems, services, or infrastructure that Engine does not own or control, including but not limited to Fifth Third Bank, Stripe, Expedia, Sabre, Amadeus, or any other supplier or partner platform;
  • Engine’s internal corporate IT systems, employee email, or VPN infrastructure;
  • Physical security (offices, hardware, devices); and
  • Any asset not expressly listed in Section 3.1 above.

3.3 Out-of-Scope Vulnerability Classes

The following vulnerability types are out of scope unless accompanied by a clear, reproducible proof-of-concept demonstrating material exploitability in Engine’s environment:

  • Missing or incomplete SPF/DKIM/DMARC records without demonstrated exploit path;
  • SSL/TLS configuration issues without proof of exploitability;
  • Self-XSS requiring significant user interaction;
  • Clickjacking on pages without authenticated actions;
  • Rate limiting or brute-force issues on non-sensitive endpoints;
  • Theoretical vulnerabilities without demonstrated impact; and
  • Findings generated solely by automated scanning tools without manual validation.

4. Prohibited Conduct

The following conduct is strictly prohibited regardless of intent and will void safe harbor protections:

  • Accessing, exfiltrating, modifying, corrupting, or destroying any data not belonging to you, including any personally identifiable information (PII), customer data, or financial data;
  • Conducting or attempting denial-of-service (DoS or DDoS) attacks against any Engine system or service;
  • Performing social engineering, phishing, or vishing attacks against Engine employees, contractors, or customers;
  • Attempting to gain physical access to Engine offices, hardware, or devices;
  • Deploying or executing malware, ransomware, or any other malicious code;
  • Automated scanning at a volume or rate that degrades the performance or availability of Engine’s systems;
  • Testing against production systems in a manner that creates risk of service disruption or data exposure;
  • Publicly disclosing any vulnerability prior to Engine’s written authorization (see Section 7); and
  • Any other conduct that violates applicable federal, state, or local law.

5. How to Submit a Report

Submit all vulnerability reports by email to: [email protected]

To enable our team to evaluate and respond effectively, please include the following information in your report:

  • Asset/system affected: URL, IP address, application name, or API endpoint;
  • Vulnerability type: Brief description of the class of vulnerability (e.g., SQL injection, IDOR, SSRF);
  • Steps to reproduce: Clear, step-by-step instructions sufficient for our team to independently reproduce the issue;
  • Proof of concept: Screenshots, videos, payloads, or other supporting evidence (redact any actual customer PII);
  • Impact assessment: Your assessment of the potential impact if exploited; and
  • Contact information: Name or pseudonym and a reliable email address for follow-up.

Reports may be submitted in English. We are unable to guarantee timely response to reports submitted in other languages.

6. Engine’s Commitments

For reports submitted in good faith and in compliance with this Policy, Engine commits to the following:

Acknowledgment. We will acknowledge receipt of your report within five (5) business days.

Status Updates. We will use commercially reasonable efforts to provide status updates on confirmed vulnerabilities and to keep researchers informed of material developments during the remediation process.

Remediation. We will use commercially reasonable efforts to investigate and remediate confirmed vulnerabilities in a timely manner, taking into account severity, complexity, and operational considerations.

Confidentiality. Information you share with us will be kept confidential within Engine’s security and legal teams, except as required by law or as necessary to remediate the issue with third-party vendors.

Acknowledgment of Contribution. If your report is confirmed as a valid vulnerability that results in a code or configuration change, Engine may—at its discretion and with your consent—recognize your contribution in Engine’s Security Acknowledgments.

No Retaliation. Engine will not take adverse action against any researcher who complies in good faith with this Policy.

7. Coordinated Disclosure and Embargo

Engine asks that researchers follow a coordinated disclosure approach: please allow Engine a reasonable period to investigate and remediate a vulnerability before disclosing it publicly or to any third party. Engine will use commercially reasonable efforts to keep researchers informed of its progress during this period.

Engine does not impose a fixed embargo deadline. We ask that researchers work collaboratively with us to agree on an appropriate disclosure timeline based on the nature and severity of the vulnerability. If a researcher believes Engine has failed to make reasonable progress toward remediation, we ask that the researcher contact us at [email protected] before proceeding with any public disclosure, so we may address the concern.

Engine will not request that researchers delay disclosure indefinitely. Where the parties cannot agree on a disclosure timeline, both parties agree to engage in good faith to reach a reasonable resolution.

8. Data Handling and PII

During the course of security research, you may incidentally encounter or access data belonging to Engine customers or third parties, including PII. You are required to:

  • Cease access immediately upon recognizing that customer or third-party data is involved;
  • Not access, download, retain, or transmit more data than is strictly necessary to confirm the existence of the vulnerability;
  • Immediately notify Engine at [email protected] that you have encountered customer or third-party data; and
  • Securely destroy any such data in your possession upon Engine’s request and confirm destruction in writing.

Engine will handle your personal information submitted with a report in accordance with its Privacy Policy, available at engine.com/privacy-policy.

9. General Provisions

Discretionary Recognition and Rewards. This Policy does not constitute a formal bug bounty program, and Engine is under no obligation to offer monetary compensation for vulnerability reports. Engine may, in its sole discretion, offer a monetary reward or other recognition for reports that are confirmed as valid, high-impact vulnerabilities. Any such reward is entirely discretionary, non-precedential, and subject to applicable law.

Governing Law. This Policy is governed by the laws of the State of Colorado, without regard to conflict of law principles.

Policy Updates. Engine reserves the right to modify this Policy at any time. The current version will always be available at engine.com/responsible-disclosure. Material changes will be noted by an updated Effective Date.

Entire Understanding. This Policy represents Engine’s complete statement regarding responsible disclosure and supersedes any prior or contemporaneous communications on the subject.

10. Contact

Security vulnerability reports: [email protected]

General legal inquiries: [email protected]

HotelEngine, Inc.
1601 Wewatta Street, Suite 250
Denver, CO 80202

Effective Date: May 15, 2026