United Offers up to 1 Million Miles for Reporting Website Bugs

In this day and age, online security is of the utmost importance, especially in companies like airlines that store massive amounts of personal data, not to mention are responsible for the safe transportation of millions of people on a daily basis.

United Airlines is taking a step to formally recognize just how important online security is by launching a program that will award people who discover novel bugs affecting the airline’s “websites, apps, and/or online portals.”

The carrier says it’s the first airline to offer such a program — here’s everything you need to know.

United’s Bug Bounty Program

Bug bounty programs are nothing new — they’ve been around for decades and are currently used by major companies including Google, Microsoft, Facebook, and even the U.S. Department of Defense.

United Airlines, however, has become the first company in the airline industry to employ such a program, which is designed to “[permit] independent researchers to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.”

And, as you’ll see below, helping United discover bugs with its online platforms can prove to be quite lucrative.

Requirements for Researchers

As you might expect, a program like this comes with some fine print.

In order to qualify for participation in the program, the following criteria, as outlined by United, must be met:

• The researcher must be a member of the United MileagePlus program (sign up here), and the account must be in good standing.
• The bug must be a new discovery. Miles will be awarded to the first person who submits a new bug that meets all requirements.
• The researcher cannot reside in a country that is currently under U.S. sanctions.
• The researcher cannot be a current or former employee of United Airlines, any Star Alliance member airline, or any United partner airline. In addition, the researcher cannot be a family member or live in the same household as a United or any partner airline employee.
• The researcher who submits a bug must not be the author of the vulnerable code.

You’ll find a list of bugs that are eligible — and not eligible — for submission. In addition, you’ll find the full terms and conditions of the program.

Off-limits

United spells out a list of activities that are expressly prohibited by the program. If any of the following are attempted, it “will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation:”

• Brute-force attacks
• Code injection on live systems
• Disruption or denial-of-service attacks
• The compromise or testing of MileagePlus accounts that are not your own
• Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
• Any threats, attempts at coercion, or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
• Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
• Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact, or Nessus)

How To Submit a Bug — And Earn Your Reward

If you believe you’ve found a bug that meets the eligibility requirements as prescribed by United, you can take the following steps:

• Send an email to bugbounty@united.com with the subject line: “Bug Bounty Submission.”
• In the body of the email, describe the nature of the bug; the steps required to replicate it; any applications, programs, or tools used to discover it; and the date and time of testing.
• Also include your full legal name, MileagePlus account number, phone number, and IP address at the time of testing.
• United notes that it appreciates “a drafted report including legible screenshots.”

If your submission meets United’s criteria, you could earn the following for your discovery:

• Up to 50,000 MileagePlus miles for a “low-impact” bug. Examples include “cross-site request forgery, third-party security bugs that affect United, and cross-site scripting.”
• Up to 250,000 MileagePlus miles for a “medium-impact” bug. Examples include “brute-force attacks, potential for personally identifiable information disclosure, timing attacks, and authentication bypass.”
• Up to 1,000,000 MileagePlus miles for a “high-impact” bug. Examples include “Remote code execution.”

To put this into context, according to our valuations, 50,000 MileagePlus miles are worth $650, 250,000 are worth $3,250, and 1,000,000 are worth a whopping $13,000.

Hot Tip: Wondering what to do with all of your new United MileagePlus miles? Read about all the best ways to redeem them for maximum value!

Final Thoughts

While we’re no experts on cybersecurity or website vulnerabilities, this seems like a good way for people who have skill in this area — and love to travel — to earn a hefty amount of United miles.

There are a lot of requirements to be aware of, but if you think you have the ability to discover bugs in United’s online platforms, you can do everyone a favor by making these products safer to use — and earn plenty of miles for yourself in the process!