Awayday Vacation Rentals

Strategic PMS
Security Roadmap

From Assessment to Action

Counter Measures Security, LLC | March 2026

CONFIDENTIAL

The Key Insight

Awayday's main threat — and its main enabler for growth — sits with the migration process and the platforms.

Every brand acquired inherits the security posture of whatever PMS it runs on. Every migration is painful, costly, and introduces its own risks. The growth strategy that defines Awayday's competitive position is simultaneously the mechanism that compounds vendor risk across the portfolio.

Both Platforms Compromised

43 findings in Track. 38 in Streamline. All vendor-owned. Configuration cannot fix them.

Contracts Shift Liability

Both vendors disclaim security warranties and cap their own liability far below actual exposure.

Assessment Creates Leverage

Documented vendor negligence changes the negotiation dynamic from concern to evidence.

Track: What We Found

Willful neglect — the controls exist and were consciously left unused

43

Total

7

Critical

12

High

10

Medium

14

Low / Info

Vendor-Owned: 42 of 43 findings require Track to remediate

Client-Actionable: 1 finding (MFA enablement)

Session Resurrection

Expired attacker cookies auto-reactivate when the victim re-authenticates. Permanent, self-healing backdoor requiring no further attacker action. MFA bypassed entirely.

Cosmetic RBAC

All 9 defined roles grant identical permissions. A front-desk agent has the same API access as an administrator. The framework exists in the UI but enforces nothing at the API layer.

Owner Financial Data Exposed

Tax identifiers (SSN/EIN), home addresses, and financial statements accessible to any authenticated session regardless of role via paginated REST API.

The session resurrection behavior requires deliberate server-side logic — that code was written intentionally. Auth0, session policies, and cookie mechanisms are all present. The security controls were consciously disabled or never wired in.

Streamline: What We Found

Externally accessible — the most critical exposures require no authentication at all

38

Total

4

Critical

7

High

3

Med-High

10

Medium

14

Low / Info

Vendor-Owned: 100% of findings require Inhabit IQ to remediate

Physical Security Risk: WiFi + GPS + addresses exposed unauthenticated

Properties Exposed

Unauthenticated XML API returns WiFi passwords, GPS coordinates, and physical addresses for all managed properties. No credentials required.

Perpetual API Token

A Streamsign token with no expiration date provides permanent access to the booking lifecycle: reservations, payments, contracts, guest management.

JWT → Cookie → Token Chain

Steal JWT → bootstrap legacy cookie → recover all API tokens in plaintext → permanent unauthenticated access. One compromise cascades to full control.

The JWT already contains an IP claim — the infrastructure to bind sessions exists — but enforcement was never activated. The Cloudflare WAF passes traffic through without rules. The security knowledge in the modern stack was never applied to legacy pages.

Side-by-Side: Neither Is Secure

Different risk geometries, same architectural depth

Domain	Track	Streamline	Edge
Session Architecture	Sessions are permanent credentials. Resurrection, no binding, cosmetic logout, MFA bypass.	Sessions persist indefinitely. No timeout, no invalidation, no binding. Cookie transplant across stacks.	Both Broken
API Access Control	Session cookie = full platform access regardless of role. Owner Tax IDs, financial data exposed.	Unauthenticated XML API tokens. WiFi, GPS, addresses. Perpetual token. Write access to bookings.	Both Broken
Physical Security	No physical data exposed via API.	WiFi credentials + GPS + addresses. Physical intrusion enabler.	Track ›
RBAC Enforcement	Cosmetic — all roles identical at API layer.	Three privilege levels with some differentiation, but legacy pages bypass boundaries.	Both Weak
Contractual Leverage	CAB seat. MSA gap analysis complete. Marketed MFA/RBAC = strongest warranty argument.	No governance seat. Non-binding security statement. Gap analysis not yet done.	Track ›
Vendor Stability	Headcount reductions. 5+ C-suite changes in 12mo. Small engineering team.	Absorbing LiveRez + LMPM refugees. Price increase history. PE exit pressure.	Both Elevated
Willful Neglect	Auth0, RBAC framework, session policies all present — security controls deliberately unenforced.	JWT IP claim, Cloudflare WAF, React XSS protections — all exist in infrastructure but not applied.	Both Confirmed

Liability and Risk Transfer

Awayday's compliance strategy relies on vendor security posture — which the assessment now documents as failing

The Gap

Awayday's model correctly shifts PCI and compliance obligations to vendors. But the vendors' actual security posture does not support the risk transfer. State breach notification obligations flow to the data controller — Awayday — regardless of vendor disclaimers.

Florida: 30-day notification window. North Carolina: Covers EIN exposure; private right of action. Virginia: Controller bears primary responsibility regardless of processor fault.

The Contracts

Track §5.4 disclaims all security warranties
Track §7.4 assigns credential liability to customer
Track §10 caps liability at 6 months' fees
Track §6 Waiver covers all claims through June 2025
Streamline API terms are "AS IS" — full disclaimer
Best argument: MFA and RBAC marketed as features but fail server-side — strongest warranty theory under §5.2(ii)

Questions for leadership: What is the cost if this data were compromised — including trickle-down effects to owners and vacationers? What is the risk from a competitor acquiring Track or Streamline? What is the realistic breach likelihood given confirmed exploitability? These should be evaluated through structured tabletop exercises using the confirmed attack chains as scenarios.

Strategic Options

Four paths forward — the platform decision should follow governance, not precede it

Option A: Maintain Status Quo + Enhanced Governance Lowest Disruption

Negotiate security amendments. Build compensating controls. Accept residual risk. Conditions: Vendors must demonstrate meaningful remediation of Critical findings within defined timelines. Contract amendments must include enforceable commitments — not marketing language.

Option B: Consolidate onto One Platform Single Vendor

Migrate all brands to Track or Streamline. Eliminates dual-vendor complexity. Risk: Concentrates dependency on one vendor's security posture. Neither is materially more secure — this trades diversified risk for concentrated risk. Track CAB seat is a lever; Streamline lacks governance access.

Option C: New Platform — Replace Both Clean Break

Evaluate Guesty, Hostaway, Barefoot, Escapia. Maximum disruption, highest cost. Unknown security posture. The assessment methodology is now available as a pre-contract evaluation framework.

Option D: New Platform for New Brands Only Phased

Onboard new acquisitions into a new platform exclusively; migrate existing brands in parallel over time. Limits disruption but requires three-platform operational capacity.

        Recommendation: The platform decision should be made at Month 6, informed by vendor remediation performance and data mapping — not today. Phase 1 (next slide) builds the governance foundation and negotiation leverage that makes an informed decision possible.
      

The Central Constraint

The Migration Trap

Switching costs deter migration. Remaining on compromised platforms compounds risk. Each acquisition adds to the switching cost, making future migration harder. This is a ratchet that only tightens.

Multi-Brand Complexity

Each brand has its own configurations, market customs, owner relationships, and staff workflows. Standardizing during migration risks breaking what makes each brand valuable.

Acquisition Velocity

New brands arrive continuously. Each brings a PMS instance or configuration. The migration challenge is not static — it grows with every deal.

Concentrated Knowledge

Migration expertise sits with a very small number of people who are simultaneously responsible for operations, onboarding, and vendor management. Key-person risk is acute.

The only way to break the ratchet is to invest in migration capability as a core organizational competency — not treat it as a one-time project to be endured.

Current State → Ideal State

An AI-first approach to migration, governance, and portfolio intelligence

The ideal state: A system flexible enough to ingest acquisition targets and automate most of the data migration and onboarding — auditable, secure-by-default, with playbooks that ensure no liabilities are created. A single pane of glass into all brands for KPIs, financials, and operational oversight.

1

Review All Prior Migrations

Document what worked, failed, was manual/automated, where data was lost. Creates the knowledge base.

2

Commit to a Primary Platform

Based on vendor remediation, contracts, and strategic analysis. Directional — not necessarily permanent.

3

Adopt an AI Model

Hosted frontier models, open-source, or hybrid. Schema mapping and playbook generation are the practical starting point.

4

Build the Migration System

AI-generated playbooks → assisted live migrations → progressive delegation. 9–12 months to co-pilot; 18–24 months to delegation.

Target Evaluation

AI agents perform market reconnaissance and competitive analysis. A proprietary scoring model trained on actual acquisition outcomes.

Portfolio Orchestration

Real-time visibility across all brands. Financial reporting, supplier optimization, economies of scale — the single pane of glass.

Compound Advantage

No single piece is a moat. The integrated system — migration + evaluation + orchestration — trained on actual deal flow becomes increasingly hard to replicate.

        Not a software company, but needs tooling. Awayday invests in domain knowledge, playbooks, and data while leveraging commercial AI infrastructure. This requires dedicated technical resources — hired, contracted, or partnered — but the return from faster, safer migrations justifies the investment given migration is the single largest constraint on growth.
      

Recommended Phased Approach

Phase 1: Protect & Leverage (Months 1–3)

Formal breach-risk notices to both vendors via legal counsel
Deploy SSO + MFA across all corporate systems and PMS instances
Audit all admin accounts across both platforms
Negotiate Track security amendment — use CAB seat as lever
Negotiate Streamline amendment — demand API token rotation, written remediation plan
Engage fractional CISO or dedicated security advisor
Begin data inventory across all brands on both platforms

Phase 2: Assess & Build Optionality (Months 4–6)

Score vendor remediation — are fixes real or cosmetic?
Complete data/integration dependency map per brand
Evaluate alternative platforms if pursuing Option C/D
Begin AI migration roadmap Stage 1: review all prior migrations
Conduct Streamline contract gap analysis
Decision gate at Month 6: Select platform strategy with data

Phase 3: Execute & Scale (Months 7–12)

If vendors remediate: Formalize governance, build analytics layer, advance AI roadmap to Stages 2–3
If vendors fail: Pilot migration of 1–2 brands to new platform, calibrate full migration timeline
Regardless: Build acquisition Day-1 Security Checklist
Formalize tech due diligence for acquisition targets
Codify acquisition integration playbook

Vendor Meeting Preparation

Collaborative framing, documented asks, clear escalation paths

Track — with CAB Member

Approach: Collaborative. "We want to help Track succeed. Addressing these findings strengthens Track's competitive position." Lead with regulatory requirements, not threats.

Key asks: Documented remediation timelines for Critical/High findings
Security-specific MSA amendment replacing §5.4 blanket disclaimer
Cyber insurance certificate
Transparency on engineering investment trajectory
Escalation: CAB structure → vendor executive → formal documentation of non-response

Streamline — with Internal SME

Approach: More formal given newer relationship. Present findings as compliance documentation the vendor must address.

Immediate: Rotate all API tokens — especially the perpetual token
Written remediation plan with milestones
Authentication on all API endpoints, token expiration policies
Pricing stability commitment (multi-year lock)
Ask directly: LiveRez/LMPM status? Platform consolidation roadmap? Investor exit timeline?

        Note: Working documents are for internal Awayday preparation. The separately delivered assessment reports serve as the formal vendor-facing evidence if needed.
      

Looking Forward

The Assessment Is the Diagnostic.
This Roadmap Is the Treatment Plan.

Executing it requires dedicated security leadership, technical depth to verify vendor remediation, and strategic continuity through vendor meetings, contract negotiations, and the ongoing acquisition pipeline.

Vendor Remediation

Formal notification, documented timelines, CAB leverage, and verification testing — confirming that fixes are real, not cosmetic.

Contract & Compliance

MSA amendments, Streamline gap analysis, regulatory exposure evaluation, and acquisition security playbooks spanning legal, technical, and strategic domains.

Scaling with Growth

Every acquisition inherits the current security posture. The companies that win in vacation rental consolidation integrate brands fastest and safest. That capability starts here.