United’s high-flying bug bounty seems to be working: The airline said that it has awarded millions of frequent flier miles to white-hats already, just a couple of months after launching its program.
United confirmed with Reuters that it has paid out two awards worth 1 million miles each. Jordan Wiens, tweeted last week that he received United's top reward of 1 million miles for exposing a flaw that could have allowed hackers to seize control of one of the airline's websites.
"It’s really interesting that United did what they did," he said in an interview with the news service. "There actually aren’t that many companies in any industry outside of technology that do bug bounties.”
United didn’t however confirm tweets from individuals who say they have been paid smaller awards as well.
United unveiled the approach in May, just weeks after thieves with stolen usernames and passwords broke into customer accounts at both American Airlines and United Airlines, booking trips for themselves using people's stores of frequent flier miles. A United Airlines spokesperson told the Associated Press that mileage transactions were made on only about three dozen accounts, and that the stolen goods would be restored into users’ customer accounts.
Nonetheless, the airline rolled out the bounty program, saying that it’s looking for issues that affect the confidentiality, integrity and/or availability of customer or company information. The eligible list includes: Authentication bypass; bugs on customer-facing websites, the United app or third-party programs loaded by united.com or its other online properties; cross-site request forgery (CSRF) and cross-site scripting (XSS); potential for information disclosure; remote code execution; timing attacks that prove the existence of a private repository, user or reservation; and the ability to brute-force reservations, MileagePlus numbers, PINs or passwords.
"We believe that this program will further bolster our security and allow us to continue to provide excellent service," United said on its website, declining additional comment.