We have built Treebo from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and the public plays a crucial role in identifying these bugs. If you believe you have found a security bug in our systems, we will gladly work with you to resolve the issue and ensure you are recognized for discovering the bug.

Treebo will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond to and fix reported vulnerabilities in accordance with our commitment to security and privacy. We would not take legal action against or suspend or terminate access to the Services for those who discover and report security vulnerabilities. Treebo reserves all of its legal rights in the event of any noncompliance to the Responsible Disclosure Policy.

Scope Exclusions

The following categories of reports are considered out of scope for our program and will not be rewarded:
  • Spamming other users with automated emails or notifications (e.g. abusing the forgot password form).
  • Findings derived primarily from social engineering (e.g. phishing, vishing).
  • Reports relating to insufficient rate limiting on our APIs.
  • Any services hosted by 3rd party providers and services.
  • Flaws affecting the users of out-of-date web browsers and plugins.
  • Network level Denial of Service (DoS/DDoS) vulnerabilities.
  • Attacks requiring physical access to a user’s device and similar incidents such as office access (e.g. open doors, tailgating).
  • Invalid or missing SPF (Sender Policy Framework) records.
  • Bypass of URL malware detection.

Things we do not want to receive

  • Personally identifiable information (PII)
  • Credit card holder data


The details of any suspected vulnerabilities should be shared with the Treebo Security Team by sending an email to engg.security@treebohotels.com. Please do not publicly disclose these details without obtaining an express written consent from Treebo. In reporting any suspected vulnerabilities, please include the following information:

  • Vulnerability details with sufficient information to allow us to efficiently reproduce your steps.
  • Your valid email address.
  • Your name as it should be displayed on this page, if you would like it to be.
  • Your Twitter handle or website as it should be displayed on our contributors’ page.

Our Commitment

If you identify a verified security vulnerability in compliance with this Responsible Disclosure Policy, Treebo commits to:

  • Promptly acknowledge receipt of your vulnerability report.
  • Provide an estimated timetable for resolution of the reported vulnerability.
  • Notify you when the reported vulnerability is fixed.
  • Publicly acknowledge your responsible disclosure.

Compensation Requests

Requests for monetary compensation in connection with any identified or alleged vulnerability will be deemed non-compliant with this Responsible Disclosure Policy.