United to award miles to security researchers who discover bugs

The airline says it will offer air miles as part of its new bug bounty program, but there are restrictions. Problems that affect onboard Wi-Fi, entertainment systems and avionics are off-limits.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read

United's bug bounty program offers rewards ranging from 50,000 to 1,000,000 miles. Scott Olson/Getty Images

If you're a security expert and fond of traveling, United Airlines' new bug bounty program will likely be of interest.

Companies such as Google, Microsoft and Facebook offer monetary rewards to outside researchers who discover and disclose security flaws. Now, United has started a similar program, but, in keeping with the company's services, has chosen to offer air miles as rewards.

"We believe that this program will further bolster our security and allow us to continue to provide excellent service," United says. "If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort."

If a researcher discovers bugs in the system that affect the "confidentiality, integrity and/or availability of customer or company information," through customer-facing websites and third-party programs used by United, they may be eligible for reward.

Because cybersecurity is such a hot topic and hiring is at a premium, researchers may expect more than just credit in return for their time. Offering rewards for bug disclosure is becoming a popular method for third-party security professionals to contribute to the protection of a corporate network. If a cyberattacker is able to find a flaw in programs or websites, they are able either to sell the information on the black market or exploit it for their own ends. If they choose to use system security flaws as an entry point into corporate networks, they may be able to steal valuable data and damage business systems -- which in turn can be costly in both financial terms and reputation for victim companies.

Low-severity-rated vulnerabilities, such as third-party problems that affect United, are worth 50,000 air miles. Medium-severity problems, including those that could lead to the disclosure of personally identifiable information, are worth far more: 250,000 miles per vulnerability. High-severity vulnerabilities related to remote code execution are worth a maximum of 1,000,000 air miles.

Security researchers must be MileagePlus members to submit a vulnerability and potentially collect their rewards. In addition, bugs that only affect legacy systems or unsupported browsers, plug-ins and operating systems are not eligible; onboard Wi-Fi, entertainment systems and avionics are also out-of-bounds. Vulnerabilities in internal websites used by United employees are also not eligible for rewards.

The airline also says brute-force attacks, code injection on live systems, distributed denial-of-service attacks, testing on MileagePlus accounts that are not your own, and testing on in-flight systems will result in disqualification and possible criminal investigation.

Last month, a security researcher was removed from a United flight by the FBI and reportedly barred from another flight on the airline after he joked on Twitter about security flaws in the onboard systems.

This story originally posted as "United Airlines offers air miles as bug bounty reward" on ZDNet.