United Airlines offers air miles as bug bounty

By on
United Airlines offers air miles as bug bounty

But don't touch internal, onboard systems.

Major American carrier United Airlines has launched a bug bounty program which offers air miles as a reward for researchers who discover flaws in its web portals.

Bug bounty programs are increasing in popularity as incidents of cybercrime rise. Companies such as Google and Facebook use these programs to get third-party eyes on systems, offering monetary reward for disclosure to lure hackers away from selling the information on the black market.

United Airlines, however, has chosen to offer air miles - on a sliding scale depending on the severity of the bug discovered - instead of cash.

"If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort," the airline said.

Air miles are available for those who discover a bug in customer-facing websites and third-party programs which affects the "confidentiality, integrity and/or availability of customer or company information".

Cross-site scripting, cross-site request forgery and third-party issues affecting United are classified as low-severity and are worth 50,000 air miles.

Researchers can access 250,000 air miles per vulnerability classified as medium-severity, such as authentication bypass, brute force attacks and issues that could lead to personal data being disclosed.

Discovering a high-security vulnerability - such as remote code execution - will earn the researcher a maximum of 1 million air miles.

Those interested in participating in the bug bounty program will need to be MileagePlus members, United said.

The airline is only looking to unearth bugs in customer-facing systems - issues with legacy systems, operating systems, onboard wi-fi, internal websites or entertainment systems are not eligible.

Similarly, any researchers who perform brute force or DDoS attacks, code injection on live systems, or test on in-flight systems will be disqualified and potentially face criminal investigation, United said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?