The Tratok Hospitality API has no formal version branches — the production service at https://hospitality.tratok.net/api.php is the only supported target, and security fixes are deployed there. This repository tracks the documentation and example clients for that API; security fixes here land on main and are tagged in CHANGELOG.md.

Please do not open a public GitHub issue for security vulnerabilities.

Instead, email security@tratok.com with:

• A clear description of the vulnerability and its impact.
• Steps to reproduce, including the request URL with your API key redacted, request body, and response.
• Your contact information so we can follow up.
• (Optional) Suggested remediation.

We aim to:

• The production API at https://hospitality.tratok.net/api.php
• The provider portal at https://hospitality.tratok.net
• The webhook delivery infrastructure
• The iCal export endpoint at https://hospitality.tratok.net/ical_export.php
• The example clients shipped in examples/ of this repo

• Vulnerabilities in third-party services Tratok integrates with (report those to the upstream vendor)
• Social-engineering, physical attacks, or denial-of-service tests
• Findings that require physical access to a provider's machine
• Reports generated by automated scanners without a working proof-of-concept

• Give us a reasonable time to fix before public disclosure.
• Don't access data that isn't yours during testing. Use your own provider account and your own listings.
• Don't degrade the service for other providers. If a single reproduction step is enough, stop there.
• No automated brute-force or fuzzing at scale. A few targeted requests is fine; thousands per minute is not.

We don't run a formal bounty programme yet, but we acknowledge reporters publicly (with permission) and may award discretionary TRAT rewards for high-impact findings. Reach out and we'll discuss.

For non-security questions, use the provider support channels or open a regular GitHub issue.