United Gives Hackers Millions Of Free Airlines Miles Via Bug Bounty Program

To quote the Guinness brothers, rewarding security researchers with frequent flier miles in exchange for rooting out system bugs is "brilliant!" That's what United Airlines is doing, and it's already given out two of its highest awards available -- one million miles -- which is enough to redeem for dozens of domestic flights (or less if flying first class).

United is the only airline to offer such a program. It was unveiled back in May only weeks before technical woes forced the company to ground its planes on two separate occasions. One was due to an inability to access United's reservations system, and the second incident involved software needed for flight plans.

United Airlines

"We believe that this program will further bolster out security and allow us to continue to provide excellent service," United said.

United breaks down bug bounties into three tiers based on severity -- low, medium, and high. Cross-site scripting, cross-site request forgery, and third-party issues affecting United are deemed Low and pay out 50,000 award miles. The Medium tier covers authentication bypass, brute-force attacks, potential for personally identifiable information disclosure, and timing attacks, all of which pay out 250,000 award miles. And for the big award -- one million miles -- High level threats are those that involve remote code execution.

What's genius about this approach is that United can save a lot of money while still making its systems more secure. It's cheaper to hand out miles redeemable for flights and upgrades -- especially when they're redeemed for seats that would have otherwise been empty -- than it is to throw money at security firms.

One of the million-mile recipients is Jordan Wiens. He found a flaw that would have allowed a hacker to take control of United's websites. And the other recipient is Kyle Lovett who found a bug that "was of the injection variety."

Via:  Reuters
Show comments blog comments powered by Disqus