Many of the credit card offers that appear on this site are from credit card companies from which we receive financial compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear). However, the credit card information that we publish has been written and evaluated by experts who know these products inside out. We only recommend products we either use ourselves or endorse. This site does not include all credit card companies or all available credit card offers that are on the market. See our advertising policy here where we list advertisers that we work with, and how we make money. You can also review our credit card rating methodology.
Nick’s passion for points began as a hobby and became a career. He worked for over 5 years at The Points Guy and has contributed to Business Insider and CNN. He has 14 credit cards and continues to le...
We may be compensated when you click on product links, such as credit cards, from one or more of our advertising partners. Terms apply to the offers below. See our Advertising Policy for more about our partners, how we make money, and our rating methodology. Opinions and recommendations are ours alone.
In this day and age, online security is of the utmost importance, especially in companies like airlines that store massive amounts of personal data, not to mention are responsible for the safe transportation of millions of people on a daily basis.
United Airlines is taking a step to formally recognize just how important online security is by launching a program that will award people who discover novel bugs affecting the airline’s “websites, apps, and/or online portals.”
The carrier says it’s the first airline to offer such a program — here’s everything you need to know.
United’s Bug Bounty Program
Bug bounty programs are nothing new — they’ve been around for decades and are currently used by major companies including Google, Microsoft, Facebook, and even the U.S. Department of Defense.
United Airlines, however, has become the first company in the airline industry to employ such a program, which is designed to “[permit] independent researchers to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.”
And, as you’ll see below, helping United discover bugs with its online platforms can prove to be quite lucrative.
Requirements for Researchers
As you might expect, a program like this comes with some fine print.
In order to qualify for participation in the program, the following criteria, as outlined by United, must be met:
The bug must be a new discovery. Miles will be awarded to the first person who submits a new bug that meets all requirements.
The researcher cannot reside in a country that is currently under U.S. sanctions.
The researcher cannot be a current or former employee of United Airlines, any Star Alliance member airline, or any United partner airline. In addition, the researcher cannot be a family member or live in the same household as a United or any partner airline employee.
The researcher who submits a bug must not be the author of the vulnerable code.
You’ll find a list of bugs that are eligible — and not eligible — for submission. In addition, you’ll find the full terms and conditions of the program.
Off-limits
United spells out a list of activities that are expressly prohibited by the program. If any of the following are attempted, it “will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation:”
Brute-force attacks
Code injection on live systems
Disruption or denial-of-service attacks
The compromise or testing of MileagePlus accounts that are not your own
Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
Any threats, attempts at coercion, or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact, or Nessus)
How To Submit a Bug — And Earn Your Reward
If you believe you’ve found a bug that meets the eligibility requirements as prescribed by United, you can take the following steps:
Send an email to bugbounty@united.com with the subject line: “Bug Bounty Submission.”
In the body of the email, describe the nature of the bug; the steps required to replicate it; any applications, programs, or tools used to discover it; and the date and time of testing.
Also include your full legal name, MileagePlus account number, phone number, and IP address at the time of testing.
United notes that it appreciates “a drafted report including legible screenshots. ”
If your submission meets United’s criteria, you could earn the following for your discovery:
Up to 50,000 MileagePlus miles for a “low-impact” bug. Examples include “cross-site request forgery, third-party security bugs that affect United, and cross-site scripting.”
Up to 250,000 MileagePlus miles for a “medium-impact” bug. Examples include “brute-force attacks, potential for personally identifiable information disclosure, timing attacks, and authentication bypass.”
Up to 1,000,000 MileagePlus miles for a “high-impact” bug. Examples include “Remote code execution.”
To put this into context, according to our valuations, 50,000 MileagePlus miles are worth $650, 250,000 are worth $3,250, and 1,000,000 are worth a whopping $13,000.
Hot Tip: Wondering what to do with all of your new United MileagePlus miles? Read about all the best ways to redeem them for maximum value!
Final Thoughts
While we’re no experts on cybersecurity or website vulnerabilities, this seems like a good way for people who have skill in this area — and love to travel — to earn a hefty amount of United miles.
There are a lot of requirements to be aware of, but if you think you have the ability to discover bugs in United’s online platforms, you can do everyone a favor by making these products safer to use — and earn plenty of miles for yourself in the process!