Advertiser Disclosure

Many of the credit card offers that appear on this site are from credit card companies from which we receive financial compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear). However, the credit card information that we publish has been written and evaluated by experts who know these products inside out. We only recommend products we either use ourselves or endorse. This site does not include all credit card companies or all available credit card offers that are on the market. See our advertising policy here where we list advertisers that we work with, and how we make money. You can also review our credit card rating methodology.

United Offers up to 1 Million Miles for Reporting Website Bugs

Nick Ellis's image
Nick Ellis
Nick Ellis's image

Nick Ellis

Senior Editor & Content Contributor

192 Published Articles 875 Edited Articles

Countries Visited: 35U.S. States Visited: 25

Nick’s passion for points began as a hobby and became a career. He worked for over 5 years at The Points Guy and has contributed to Business Insider and CNN. He has 14 credit cards and continues to le...
Jump to Section

We may be compensated when you click on product links, such as credit cards, from one or more of our advertising partners. Terms apply to the offers below. See our Advertising Policy for more about our partners, how we make money, and our rating methodology. Opinions and recommendations are ours alone.

In this day and age, online security is of the utmost importance, especially in companies like airlines that store massive amounts of personal data, not to mention are responsible for the safe transportation of millions of people on a daily basis.

United Airlines is taking a step to formally recognize just how important online security is by launching a program that will award people who discover novel bugs affecting the airline’s “websites, apps, and/or online portals.”

The carrier says it’s the first airline to offer such a program — here’s everything you need to know.

United’s Bug Bounty Program

United.com homepage
You can earn miles for finding and reporting bugs on United’s online platforms. Image Credit: United Airlines

Bug bounty programs are nothing new — they’ve been around for decades and are currently used by major companies including Google, Microsoft, Facebook, and even the U.S. Department of Defense.

United Airlines, however, has become the first company in the airline industry to employ such a program, which is designed to “[permit] independent researchers to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.”

And, as you’ll see below, helping United discover bugs with its online platforms can prove to be quite lucrative.

Requirements for Researchers

As you might expect, a program like this comes with some fine print.

In order to qualify for participation in the program, the following criteria, as outlined by United, must be met:

  • The researcher must be a member of the United MileagePlus program (sign up here), and the account must be in good standing.
  • The bug must be a new discovery. Miles will be awarded to the first person who submits a new bug that meets all requirements.
  • The researcher cannot reside in a country that is currently under U.S. sanctions.
  • The researcher cannot be a current or former employee of United Airlines, any Star Alliance member airline, or any United partner airline. In addition, the researcher cannot be a family member or live in the same household as a United or any partner airline employee.
  • The researcher who submits a bug must not be the author of the vulnerable code.

You’ll find a list of bugs that are eligible — and not eligible — for submission. In addition, you’ll find the full terms and conditions of the program.

Off-limits

United spells out a list of activities that are expressly prohibited by the program. If any of the following are attempted, it “will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation:”

  • Brute-force attacks
  • Code injection on live systems
  • Disruption or denial-of-service attacks
  • The compromise or testing of MileagePlus accounts that are not your own
  • Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
  • Any threats, attempts at coercion, or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
  • Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
  • Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact, or Nessus)

How To Submit a Bug — And Earn Your Reward

If you believe you’ve found a bug that meets the eligibility requirements as prescribed by United, you can take the following steps:

  • Send an email to bugbounty@united.com with the subject line: “Bug Bounty Submission.”
  • In the body of the email, describe the nature of the bug; the steps required to replicate it; any applications, programs, or tools used to discover it; and the date and time of testing.
  • Also include your full legal name, MileagePlus account number, phone number, and IP address at the time of testing.
  • United notes that it appreciates “a drafted report including legible screenshots.”

If your submission meets United’s criteria, you could earn the following for your discovery:

  • Up to 50,000 MileagePlus miles for a “low-impact” bug. Examples include “cross-site request forgery, third-party security bugs that affect United, and cross-site scripting.”
  • Up to 250,000 MileagePlus miles for a “medium-impact” bug. Examples include “brute-force attacks, potential for personally identifiable information disclosure, timing attacks, and authentication bypass.”
  • Up to 1,000,000 MileagePlus miles for a “high-impact” bug. Examples include “Remote code execution.”

To put this into context, according to our valuations, 50,000 MileagePlus miles are worth $650, 250,000 are worth $3,250, and 1,000,000 are worth a whopping $13,000.

Hot Tip: Wondering what to do with all of your new United MileagePlus miles? Read about all the best ways to redeem them for maximum value!

Final Thoughts

While we’re no experts on cybersecurity or website vulnerabilities, this seems like a good way for people who have skill in this area — and love to travel — to earn a hefty amount of United miles.

There are a lot of requirements to be aware of, but if you think you have the ability to discover bugs in United’s online platforms, you can do everyone a favor by making these products safer to use — and earn plenty of miles for yourself in the process!

Nick Ellis's image

About Nick Ellis

Nick’s passion for points began as a hobby and became a career. He worked for over 5 years at The Points Guy and has contributed to Business Insider and CNN. He has 14 credit cards and continues to leverage the perks of each.

INSIDERS ONLY: UP PULSE

Deluxe Travel Provided by UP Pulse

Get the latest travel tips, crucial news, flight & hotel deal alerts...

Plus — expert strategies to maximize your points & miles by joining our (free) newsletter.

We respect your privacy. This site is protected by reCAPTCHA. Google's privacy policy  and terms of service  apply.

Deluxe Travel Provided by UP Pulse
DMCA.com Protection Status