United Offers “Bug Bounty” of up to 1m Miles for Hackers who Find Vulnerabilities in Website, Mobile App

United Offers “Bug Bounty” of up to 1m Miles for Hackers who Find Vulnerabilities in Website, Mobile App

While big companies are known to quietly seek out the services of white-hat hackers to test for weaknesses in their networks and websites, it’s not every day that a major airline publicly offers a “bounty” to people who can diagnose vulnerabilities in its systems.

United’s Bug Bounty program rewards independent researchers with airline miles for discovering and reporting issues that affect United’s websites, mobile apps and online portals in a way that could put customer data at risk, Wired reports,

United said in an announcement on Thursday that the new program is an extension of its commitment to protecting customers’ privacy and the personal data they share with the airline.

“We believe that this program will further bolster our security and allow us to continue to provide excellent service,” the company said.

The airline offers three bounties (or mileage amounts awarded) depending on the type and severity of bug found.

High severity bugs, such as a vulnerability that would allow a hacker to execute code on a United property, result in a pay out of as many as 1 million miles.

Medium severity flaws, which the airline says includes the ability to identify information of customers or bypassing login requirements, can result in a reward of up to 250,000 miles.

Smaller vulnerabilities, like third-party issues that affect United, come with a bounty of up to 50,000 miles.

Of course the airline put in several stipulations and restrictions to the program.

For one, it’s first-come-first-serve, meaning only new discoveries qualify for rewards.

Bugs that only affect legacy or unsupported browsers, plugins and operating systems and bugs on the internal sites for United employees and agents are not eligible for submission. Additionally, employees and those living in their households are not permitted to take part in the program.

While the program is centered on finding vulnerabilities in United’s systems, it doesn’t cover all areas of the airline, such as an aircraft’s network.

In fact, participants are prohibited from testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi.

According to the program’s rules, anyone who attempts to breach those systems will be permanently disqualified and could face criminal or legal action.

The susceptibility of those networks came to light back in April when the Government Accountability Office released a report that identified security weaknesses within the airline industry including the possibility that newer airplanes with interconnected WiFi systems could be hacked.

The Federal Bureau of Investigation and Transportation Security Administration quickly followed up the report by issuing an alert warning airlines to be vigilant about monitoring for such threats.

Read more

Blog anglais, La cyber-sécurité, Mises à jour et nouvelles de l'industrie