Vulnerability Disclosure Program (VDP)
VDPs are meant for responsibly reporting vulnerabilities you encounter — not for actively hunting for fame or reputation. Even if you're just starting out, consider focusing on rewarded bug bounty programs instead.
british_airways_vdp
5
In Scope
3
Out of Scope
In-Scope Assets (5)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| *.ba.com | WILDCARD | No | ||
| *.britishairways.com | WILDCARD | No | ||
| Security vulnerabilities that are identified in digital properties owned, operated, or controlled by British Airways are considered in scope. | OTHER | No | - | |
| http://www.britishairways.com/nx | URL | No | ||
| www.britishairways.com | URL | No |
Out-of-Scope Assets (3)
| Asset | Category | Bounty | |
|---|---|---|---|
| Testing is not permitted on internal systems, employee portals, onboard aircraft systems, third-party services, or any assets using external networks or domains not directly owned or controlled by British Airways | OTHER | No | |
| accounts.britishairways.com | URL | No | |
| holiday.britishairways.com | URL | No |
Scope Changes (24)
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | security vulnerabilities that are identified in digital properties owned, operated, or controlled by british airways are considered in scope | OTHER | In Scope | 19:21 |
| Added | *.ba.com | WILDCARD | In Scope | 19:21 |
| Added | testing is not permitted on internal systems, employee portals, onboard aircraft systems, third-party services, or any assets using external networks or domains not directly owned or controlled by british airways | OTHER | Out of Scope | 19:21 |
| Added | accounts.britishairways.com | URL | Out of Scope | 19:21 |
| Added | holiday.britishairways.com | URL | Out of Scope | 19:21 |
| Added | *.britishairways.com | WILDCARD | In Scope | 19:21 |
| Added | www.britishairways.com | URL | In Scope | 19:21 |
| Added | http://www.britishairways.com/nx | URL | In Scope | 19:21 |
Feb 22, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | *.ba.com | WILDCARD | In Scope | 00:49 |
| Added | *.britishairways.com | WILDCARD | In Scope | 00:49 |
| Added | www.britishairways.com | URL | In Scope | 00:49 |
| Added | http://www.britishairways.com/nx | URL | In Scope | 00:49 |
| Added | security vulnerabilities that are identified in digital properties owned, operated, or controlled by british airways are considered in scope | OTHER | In Scope | 00:49 |
| Added | testing is not permitted on internal systems, employee portals, onboard aircraft systems, third-party services, or any assets using external networks or domains not directly owned or controlled by british airways | OTHER | Out of Scope | 00:49 |
| Added | accounts.britishairways.com | URL | Out of Scope | 00:49 |
| Added | holiday.britishairways.com | URL | Out of Scope | 00:49 |
Feb 21, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | *.britishairways.com | WILDCARD | In Scope | 19:13 |
| Added | www.britishairways.com | URL | In Scope | 19:13 |
| Added | http://www.britishairways.com/nx | URL | In Scope | 19:13 |
| Added | security vulnerabilities that are identified in digital properties owned, operated, or controlled by british airways are considered in scope | OTHER | In Scope | 19:13 |
| Added | *.ba.com | WILDCARD | In Scope | 19:13 |
| Added | testing is not permitted on internal systems, employee portals, onboard aircraft systems, third-party services, or any assets using external networks or domains not directly owned or controlled by british airways | OTHER | Out of Scope | 19:13 |
| Added | accounts.britishairways.com | URL | Out of Scope | 19:13 |
| Added | holiday.britishairways.com | URL | Out of Scope | 19:13 |