Login Request a demo
A company of Pruvo — a Web Travel Group (Webbeds) company
Legal

Report a security issue.

Last updated · May 2026

Security is critical to everything we build. If you believe you've found a vulnerability in Pruvo's website, B2B platform or infrastructure, we'd like to hear from you.

1. How to report

Send a clear, reproducible report to security@pruvo.com. Please include:

  • A description of the issue and the impact you observed
  • Step-by-step instructions to reproduce, including affected URL or endpoint
  • Screenshots, request/response samples or proof-of-concept code where applicable
  • Your contact details (so we can confirm receipt and follow up)
Please do not

publicly disclose the issue, run automated scans that degrade performance, attempt to access data that isn't yours, or hold information for ransom. Coordinated disclosure protects everyone.

2. In scope

  • Production services hosted on pruvo.com and authenticated B2B subdomains
  • Pruvo public APIs documented at our partner portal
  • Authentication, session, authorization and access-control issues
  • Server-side injection, deserialization, SSRF, RCE, IDOR, business-logic bypass
  • Sensitive data exposure that affects real Pruvo data

3. Out of scope

  • Reports based purely on automated scanners without a working proof of concept
  • Missing security headers without demonstrable impact
  • Self-XSS or social-engineering of Pruvo employees, contractors or partners
  • DoS or volumetric attacks; brute-forcing authenticated endpoints
  • Vulnerabilities in third-party services that are out of our control
  • Reports concerning the consumer Pruvo product (no longer offered)

4. Responsible disclosure guidelines

  • Give us reasonable time to investigate and fix before public disclosure
  • Don't access, modify or exfiltrate data beyond what is needed to demonstrate the issue
  • Use a test or your own account where possible; never pivot through real partner accounts
  • Comply with all applicable laws in the country you are testing from

5. What to expect from us

Acknowledge
Within 2 business days of receiving your report
Triage
Within 5 business days, with a severity estimate
Resolution
Driven by severity — critical issues are typically addressed in days, lower-impact in weeks
Updates
Status updates throughout, plus a final report on fix or mitigation

6. Recognition

We don't currently run a paid bug bounty, but we genuinely appreciate the time researchers spend keeping us secure. With your permission, we will publicly credit valid, responsibly-disclosed reports in a Hall of Fame page.

7. Encrypted reports

For sensitive reports, you can encrypt to a Pruvo PGP key on request. Email security@pruvo.com and we will share the current public key fingerprint.