Alaska Airlines site security vulnerability reporting
We are committed to the privacy of our guests' information and providing safe digital experiences with our network, website, and mobile applications. If you have discovered a security vulnerability with any of these services, we'd like to know about it so we can address the risk. To do this, we've launched a responsible disclosure program to address security-related issues.
To report a suspected vulnerability to the Alaska Airlines Cyber Security team, fill out the form below. Your submission will be reviewed and validated, then our representatives will contact you with any further questions.
Guidelines for reporting vulnerabilities
In order to protect our guests, we need to make sure that any reporting is done responsibly so we reserve the right to take any actions, including legal action, if the guidelines below are not followed:
- By submitting the vulnerability, you agree not to disclose the vulnerability to a third party without Alaska Airlines’ written permission.
- Do not compromise the privacy or safety of our guests.
- Do not perform testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi.
- Do not interrupt or degrade our services.
- Do not initiate fraudulent transactions.
- Do not modify or access data that doesn't belong to you.
- Provide enough detail to reproduce and validate the vulnerability, including targets, steps, tools, and artifacts.
- If you are using third-party tools to detect, report, or reproduce the vulnerability, please let us know so that we can ensure the intellectual property rights of third parties are respected.
- Allow a reasonable amount of time for Alaska Airlines to address the vulnerability before requesting an update or taking additional action.
Out-of-scope items
- Previously reported vulnerabilities
- Vulnerabilities on inflight Wi-Fi, entertainment systems, or avionics
- Accessible non-sensitive files and directories (e.g., README.TXT, CHANGES.TXT, robots.txt, gitignore, etc.)
- Social engineering/phishing attacks
- Self XSS
- Text injection
- Email spoofing (including lack of SPF, DKIM, From: spoofing, and visually similar, and related issues)
- Descriptive error messages (e.g., stack traces, application or server errors, path disclosure)
- Clickjacking and issues only exploitable through clickjacking. CSRF issues that don't impact the integrity of an account (e.g., login or out, contact forms and other publicly accessible forms) Lack of Secure and HTTPOnly cookie flags
- Missing HTTP security headers
- TLS/SSL Issues, including BEAST, BREACH, insecure renegotiation, bad cipher suite, expired certificates
- Out-of-date software
Third-party bugs
If vulnerabilities submitted through our disclosure form affect a third-party library, external project, or another vendor, Alaska Airlines reserves the right to forward the details of the vulnerability to the third party without further discussion with you. By submitting a vulnerability for our review, you agree to disclosure of the vulnerability to, and to be contacted by, any third parties involved in our sites. We will do our best to communicate with you throughout this process.