Skip to main contentSkip to navigationSkip to search
Logotype
Logotype

Book a trip

Contact customer care

SAS Responsible Vulnerability Disclosure Program

Stockholm June 01st 2026

Responsible Disclosure Policy

Scandinavian Airlines System Denmark-Norway-Sweden, a consortium established under the laws of Denmark, Norway and Sweden, having its principal office at Frösundaviks allé 1, 195 87 Stockholm, Sweden, (hereinafter “SAS”) is committed to protecting our customers, employees, partners, operations, networks, systems, and data.

We recognise that collaboration with the security research community helps strengthen the security, resilience, and trustworthiness of SAS digital services. SAS therefore welcomes responsible reports of potential security vulnerabilities affecting SAS-owned or SAS-controlled digital assets.

This policy describes how security researchers may report vulnerabilities to SAS and the expectations and boundaries for conducting security research related to SAS systems and services.

SAS does not currently operate a Bug Bounty programme and does not offer financial rewards, EuroBonus points, gifts, compensation, or other incentives in exchange for vulnerability reports. This policy is not the terms of a Bug Bounty programme.

In-Scope Assets

Unless otherwise stated, this policy applies only to digital assets that are:

  • owned by SAS,
  • directly managed by SAS,
  • and publicly accessible.

Examples of assets that may be considered in scope include:

  • com
  • se
  • dk
  • no
  • official SAS mobile applications
  • public APIs operated by SAS

Assets, services, systems, infrastructure, or environments not explicitly identified by SAS as in scope should be considered out of scope.

Third-party providers, supplier platforms, airport systems, alliance partner environments, and externally hosted services are not in scope unless explicitly authorised in writing by SAS.

Please, adhere to Terms and conditions for use of SAS website: https://www.sasgroup.net/contact/terms-and-conditions-for-use-of-sas-website/

Reporting a Vulnerability

Potential security vulnerabilities should be reported to SAS by email:

[email protected]

For use of PGP encryption please see: https://www.sas.se/.well-known/pgp-key.asc

Reports should include sufficient detail for SAS to understand, validate, reproduce, and assess the issue. Please include where possible:

  • Type and class of vulnerability, for example:
    • Cross-Site Scripting (XSS)
    • Insecure Direct Object Reference (IDOR)
    • Server-Side Request Forgery (SSRF)
    • Authentication or authorization bypass
    • Remote Code Execution (RCE)
    • Misconfiguration
  • Exposed sensitive information
  • Affected domain, application, API, endpoint, or mobile application
  • Step-by-step reproduction instructions
  • Proof-of-concept details, screenshots, or request/response examples
  • Potential technical, operational, or business impact
  • Suggested remediation, if available

Please avoid including sensitive data in reports unless strictly necessary to demonstrate the issue.

If a vulnerability involves suspected exposure of personal data, this should be clearly indicated in the report to enable timely assessment and handling.

Vulnerability Handling Process

SAS aims to acknowledge receipt of vulnerability reports within seven (7) business days.

Following review, SAS will:

  • validate whether the issue is reproducible and in scope,
  • assess severity, exploitability, operational impact, and remediation priority,
  • determine appropriate remediation actions,
  • and communicate further with the reporter where relevant.

Resolution timelines may vary depending on:

  • severity,
  • operational complexity,
  • regulatory considerations,
  • third-party dependencies,
  • and aviation operational requirements.

SAS may request coordinated disclosure timelines where appropriate. Unless otherwise agreed in writing, researchers are expected to refrain from public disclosure until SAS has had a reasonable opportunity to remediate the reported vulnerability.

Duplicate reports may not receive individual recognition. Reported vulnerabilities may be integrated into SAS internal incident management, risk assessment, and, where applicable, regulatory reporting.

Responsible Research Guidelines

Security research must be conducted responsibly, lawfully, and with minimal impact to SAS operations, services, customers, and personnel.

Researchers acting in good faith under this policy are expected to:

  • Promptly report vulnerabilities to SAS
  • Take only the steps necessary to demonstrate the vulnerability
  • Avoid exploiting vulnerabilities beyond what is necessary to prove their existence
  • Immediately stop testing if personal data, operational data, credentials, tokens, or other sensitive information is encountered
  • If personal data is accessed, exposed, or otherwise processed during security research, this must be reported immediately to SAS. Such cases may be treated as potential personal data breaches and handled in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (GDPR).
  • Securely delete any information inadvertently accessed
  • Avoid actions that could degrade, disrupt, or impair SAS systems, services, operations, or availability
  • Avoid persistence, privilege escalation, lateral movement, or attempts to access additional systems
  • Maintain confidentiality of vulnerability information unless SAS has provided explicit written approval for disclosure
  • Comply with all applicable laws and regulations

Researchers must not:

  • Access, modify, delete, exfiltrate, or retain SAS, customer, employee, supplier, or operational data
  • Upload SAS information, screenshots, proof-of-concept material, or vulnerability details to public repositories, social media, or third-party sharing platforms without written approval from SAS

Out-of-Scope Activities

The following activities are strictly prohibited under this policy:

  • Attempts to pivot into internal infrastructure or non-public environments
  • Credential attacks, password spraying, brute force, session hijacking, or MFA bypass attempts
  • Denial-of-service (DoS), stress, load, or performance testing
  • Fraudulent bookings, refunds, loyalty transactions, or loyalty program (i.e. EuroBonus) activity
  • Malware deployment, ransomware simulation, destructive testing, or persistence mechanisms
  • Physical security testing
  • Public disclosure before SAS has remediated the issue and provided written approval
  • Scanner Outputs
  • Security best practices, i.e. security headers, etc.
  • Social engineering, phishing, vishing, smishing, or impersonation attempts
  • Testing aircraft systems, avionics, onboard systems, crew systems, airport operational systems, ground support equipment, operational technology (OT), or safety-critical environments
  • Testing involving SAS employees, customers, partners, suppliers, or airport personnel
  • Testing payment systems, cardholder data environments, or financial transaction flows beyond non-invasive validation
  • Testing 3rd systems, supplier platforms, airport systems, alliance partners, or partner airlines unless explicitly authorised by SAS

Any activity that could impact flight safety, operational stability, regulatory compliance, or customer trust is strictly prohibited.

Legal Position and Safe Harbour

SAS supports responsible security research conducted in good faith and in accordance with this policy.

SAS will not initiate legal action against researchers for activities that:

  • are conducted in a good-faith manner,
  • comply with this policy,
  • avoid harm, disruption, or privacy violations,
  • are promptly reported to SAS.

SAS considers vulnerability research conducted consistently with this policy to be authorized.

If a researcher unintentionally accesses limited sensitive information while acting in good faith and immediately reports the issue to SAS without further access, retention, use, or disclosure, SAS will not consider this alone to constitute malicious intent.

SAS reserves all rights in cases involving:

  • unlawful activity,
  • intentional data access or exfiltration,
  • extortion,
  • threats,
  • operational disruption,
  • public disclosure without approval,
  • testing of out-of-scope systems,
  • or non-compliance with this policy.

Nothing in this policy is intended to limit or exclude any rights or obligations under applicable law. This policy does not grant permission for activities that would otherwise be unlawful or fall outside its scope.

Recognition

SAS appreciates responsible contributions from the security research community.

While SAS does not currently provide financial rewards or compensation, SAS may, at its discretion and subject to legal, privacy, operational, and regulatory considerations:

  • acknowledge researchers privately,
  • provide written recognition,
  • or maintain a future responsible disclosure recognition programme or Hall of Fame.