At G6 Hospitality, we take cyber security and privacy very seriously. We build our websites and mobile applications following established best practices, to protect our guest and team member information. As part of this effort, G6 Hospitality encourages the responsible disclosure of web and mobile security vulnerabilities from legitimate third parties (including partners, researchers, media outlets, schools, and the public). If you think you have discovered a potential security bug in our websites or mobile apps, please let us know.
Rules
Scope – Web and mobile vulnerabilities within the scope of this Policy include those affecting the following G6 Hospitality websites and the G6 Hospitality approved mobile applications for iOS and Android:
Conditions - Any testing you perform must not: violate local, state, national or international laws, standards, policies, or requirements; cause or potentially cause a data breach or loss of service,; or incur harm to G6 Hospitality, our owned, managed, franchised or otherwise affiliated properties, or any associated individual. This Policy and all testing and reporting are subject to the additional, required terms and conditions contained in the Privacy Policy located at https://www.motel6.com/en/home/policies/privacy-policy.html and Terms of Use located at https://www.motel6.com/en/home/policies/terms-of-use.html, as each is updated from to time, and all of which you agree to when you conduct testing and/or submit reports or inquiries. Violation of the Privacy Policy, Terms of Use or this Policy are subject to legal remedies and enforcement. In addition:
· Report only suspected security or privacy vulnerabilities or bugs – do not report “missing” features or desired functional concerns using this channel.
· Do not submit vulnerabilities or security issues that only affect legacy or unsupported browsers, browser plugins, or operating systems.
· Do not submit vulnerabilities for insecure cookie settings on non-sensitive cookies.
· Only test to the extent necessary to confirm the existence of a vulnerability. Do not use any exploit to compromise or remove data, establish command-line access and/or persistence, elevate
privilege, or “pivot” to other systems.
· Do not download, copy, disclose, destroy, alter, transfer or use any proprietary or confidential data relating to G6 Hospitality, the properties, or any individuals.
· Under no circumstances attempt any of the following actions on G6 Hospitality websites or mobile applications:
o Code injection on live systems;
o Brute-force attacks of any kind;
o Service, business or system disruption or denial-of-service attacks;
o Mass mailing (spamming) or phishing of any kind using G6 Hospitality logos or other intellectual property;
o Mass creation of accounts;
o Social engineering attacks on G6 Hospitality personnel or guests;
o Physical testing of G6 Hospitality assets (e.g., hotel locks, etc.) or properties;
o Attacks against our mobile application that require physical access to the device or that require rooting or jailbreaking the device to work;
o The testing of My6 accounts that do not belong to you;
o Testing of any other sites or mobile applications;
o Page editing of any kind;
o Any actions that are prohibited or not clearly permitted by customary vulnerability disclosure programs in effect at the time of testing; or
o Automated scans using tools such as Nexpose or NetSparker.
· When testing, if you access personally identifiable information, personal health information, or financial information (payment card or bank account numbers) that does not belong to you, stop
testing immediately and contact us immediately at VDP@G6Hospitality.com.
If you are uncertain whether your security research is consistent with this Policy, please contact us at VDP@G6Hospitality.com with your concerns before conducting research.
No Compensation – This is not a “bug bounty” program and we make no promise or offer of reward or compensation of any kind in exchange for submitting potential security issues. G6 Hospitality does not offer financial compensation for any vulnerabilities reported under this Policy.
How to Report a Vulnerability
Report suspected vulnerabilities via email to VDP@G6Hospitality.com. Do not publicly disclose suspected vulnerabilities. All testing, reports and inquiries must be kept confidential and may not be shared in any way outside this Policy.
When submitting a vulnerability report, please include all relevant details of the vulnerability to ensure that we can validate and reproduce the issue. Please be sure to specify the operating system(s) and browser types and versions used in your testing.
G6 Hospitality reserves the sole right, at its discretion, to publicly announce the vulnerability at the time in the method of our choosing. Release notes and/or any related website announcements may include a named reference to the individual(s) or group(s) who reported the vulnerability. If you would prefer this information to be omitted, this must be stated at the time of submitting the vulnerability.
We treat any personal information (PI) submitted in compliance with applicable privacy laws. Please refer to our Privacy Policy should you wish to understand how we collect, store, and use any personal information you provide to us. If desired, vulnerability reports can be submitted on an anonymous basis by asking us to delete any personal information upon acknowledgment of the vulnerability report.