United Airlines Will Give You Up To A Million Miles For Finding Security Bugs


Bug Bounty programs are great. Utilized by everyone from Facebook to Google, they encourage security researchers to dig up bugs and disclose them responsibly in exchange for rewards — generally meaning a chunk of cash and a bit of glory.

Here’s a new one, though: your bugs in exchange for… airline miles?

United Airlines has just launched a bug bounty program, offering up big ol’ bundles of airline miles in exchange for any bugs you might find in its sites or apps.

One important thing to note: it specifically doesn’t cover bugs in its “onboard Wi-Fi, entertainment systems or avionics” systems — so don’t go a-diggin’ while you’re bored on your redeye. According to the fine print, that’s a quick way to get tossed off a flight and (possibly) under criminal investigation.

It’s a very necessary distinction — they really don’t want to encourage people to meddle around with systems on live flights. Finding bugs often means poking around until something breaks. Accidentally crashing United’s ticketing server means lost revenue. Accidentally crashing a plane’s avionics potentially means lost lives.

If you find a security issue lurking in United’s websites or apps, though, they’re (mostly) fair game.

You can find all the details here, but the general gist: the worse the bug, the more miles you get. Find a cross-site scripting issue they missed? That’s 50,000 miles. Manage to execute remote code on one of their servers? That’s a million miles banked — or enough to fly back and forth to Europe 15 times, if you’re flying coach.

It’s a nifty concept, if they handle it right. While I’m sure many researchers might balk at the idea of receiving miles instead of cold hard cash, it’s better than the t-shirts/stickers/big-bag-of-nothing that some companies offer up in exchange for bugs.

The pity, of course, is that it ultimately means flying on United. Dear Virgin America: copy this idea, please.