Skip to content

Fly the Friendly Skies by Thwarting Unfriendly Attacks

United Airlines has a unique program in place. Thwart security attacks and be rewarded with airline miles to help you go on vacation in style.

United reports on its website that it has established what it calls a “Bug Bounty” program. (Makes me think of the A&E reality show “Dog the Bounty Hunter” for some reason.”

The airline says, “We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry.”

As ZDNet.com reports companies like United want to stop hackers as quickly as possible. Otherwise, once they find flaws the information can be sold or exploited for personal gain. Hacking into an airline’s miles reward system could guarantee you free world travel. As ZDNet adds, “If they choose to use system security flaws as an entry point into corporate networks, they may be able to steal valuable data and damage business systems — which in turn can be costly in both financial terms and reputation for victim companies.”

United says its “bug bounty program permits independent researchers to discover and report issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.”

Different mileage awards are given dependent on severity. You could receive anywhere from 50,000 up to 1,000,000 miles. As a frequent flyer, I drool slightly at the thought of one million miles being in my account (but in full disclosure I am not a United frequent flyer).

United lays out the eligibility requirements. “To ensure that submissions and payouts are fair and relevant, the following eligibility requirements and guidelines apply to all researchers submitting bug reports,” the site says:

  • All bugs must be new discoveries. Award miles will be provided only to the first researcher who submits a particular security bug.
  • The researcher must be a MileagePlus member in good standing.
  • The researcher must not reside in a country currently on a United States sanctions list.
  • The researcher submitting the bug must not be an employee of United Airlines, any Star Alliance™ member airline or any other partner airline, or a family member or household member of an employee of United Airlines or any partner airline.
  • The researcher submitting the bug must not be the author of the vulnerable code.

The last one is interesting. It has me thinking United doesn’t want to reward vendors who messed up in the first place. But what’s to stop a coder from realizing a mistake and suggesting a fix to a friend? You know, what they call an accomplice in the underworld.

Bugs that are eligible for submission:

  • Authentication bypass
  • Bugs on United-operated, customer-facing websites such as:
  1. united.com
  2. beta.united.com
  3. mobile.united.com
  4. mystatus.united.com
  5. smartphone.continental.com
  • Bugs on the United app
  • Bugs in third-party programs loaded by united.com or its other online properties
  • Cross-site request forgery
  • Cross-site scripting (XSS)
  • Potential for information disclosure
  • Remote code execution
  • Timing attacks that prove the existence of a private repository, user or reservation
  • The ability to brute-force reservations, MileagePlus numbers, PINs or passwords (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.)

Bugs that are not eligible for submission:

  • Bugs that only affect legacy or unsupported browsers, plugins or operating systems
  • Bugs on internal sites for United employees or agents (not customer-facing)
  • Bugs on partner or third-party websites or apps such as:
  1. cruises.united.com
  2. hotels.united.com
  3. hub.united.com
  4. unitedmileageplus.com
  5. vacations.united.com
  • Bugs on onboard Wi-Fi, entertainment systems or avionics
  • Insecure cookie settings for non-sensitive cookies
  • Previously submitted bugs
  • Self-cross-site scripting
  • Vulnerabilities that apply only to you or your own account

That last one makes a lot of sense. After all, what’s to stop a dishonest IT type from hacking his or her account just to rack up the miles?

Of course, United has been under fire for devaluing its frequent flyer program. So, maybe those million miles aren’t going to do you as much as good as you might think. According to the website ThePointsGuy.com (which tracks these kinds of things), points out “United sure did a number on its award chart early last year …  In late 2013, United announced it would be increasing the price of award ticket redemptions significantly, especially when booking seats in premium cabins on Star Alliance and other partner airlines.”