If you are a security researcher and fond of traveling from one conference to another, then United Airlines' bug bounty program would be of great interest for you.
United Airlines has launched a new bug bounty program inviting security researchers and bug hunters to report vulnerabilities in its websites, apps and web portals.
Bug bounty programs are very common among technology firms, including Google and Facebook, who offer you hundreds of thousands of dollars as rewards for exposing security flaws and errors in their products.
So, what’s different in United Airlines new bug bounty?
The most interesting part of this bug bounty program is – Instead of offering cold, hard cash, United Airlines is offering air miles as the reward for yours.
Let’s see what United Airlines says about its bug bounty program:
"At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure," said the company.
"We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential bug that affects our websites, apps, and online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort."
The classification of the bug bounty rewards:
The rewards range from 50,000 air miles to 1 Million air miles. The worse the vulnerability you discover, the more miles you win.
- Low-severity bugs including cross-site scripting, cross-site request forgery and third-party issues affecting United are worth 50,000 air miles.
- Medium-severity flaw includes authentication bypass, denial-of-service attacks, brute-force attacks and security issues that could lead to the disclosure of personally identifiable information are worth 250,000 air miles per vulnerability.
- The top prize, a Million-mile payout, will be rewarded to researchers who will find high-severity vulnerabilities related to issues that would lead remote code execution on United's online properties.
However, there are some important rules by United Airlines that are worth keeping in mind too.
One important rule to note is that the bug bounty program specifically doesn’t cover vulnerabilities in its "onboard Wi-Fi, entertainment systems or avionics" systems, thus don’t do ahead digging out bugs while you are in-flight.
It doesn’t mean that United Airlines do not consider such vulnerabilities as serious, but it really don’t want to encourage researchers attempting to find bugs in a plane that is flying at 30,000 feet.
Don’t mess with in-flight systems
One such example United recently introduced as part of the small print, when they removed security researcher Chris Roberts from a flight for a joke tweet made by him about possible in-flight vulnerabilities.
Accidentally crashing flight’s ticketing server means lost revenue or accidentally crashing a flight’s avionics potentially means lost of lives. So according to the fine print, these types of attempts would considered possibly under criminal investigation.
Moreover, vulnerabilities only exist on unsupported operating systems or browsers are not considered to be eligible for the bounty program.
Although, it’s good to see that United Airlines is welcoming vulnerability reports from researchers and rewarding them for their work that shows their keenness to protect their customers’ privacy and prevent hackers from exposing their databases or other sensitive details.