United Airlines Rolls Out Bug Bounty

In the wake of a high-profile frequent flier account hack, United Airlines has rolled out a bug bounty program, promising airline miles for vulnerabilities. A lot of miles too: up to 1 million for a remote code execution flaw.

“At United, we take your safety, security and privacy seriously,” the airline said in its announcement. “We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers' privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry.”

In January, it was revealed that high-flying thieves with stolen usernames and passwords had broken into customer accounts at both American Airlines and United, booking trips for themselves using peoples’ stores of frequent flier miles. The login information was pilfered through a third-party source, and mileage transactions were made on about three dozen United accounts, and about 10,000 AA accounts were hacked. Talk about flying the unfriendly skies.

United said that it’s looking for issues that affect the confidentiality, integrity and/or availability of customer or company information. The eligible list includes: Authentication bypass; bugs on customer-facing websites, the United app or third-party programs loaded by united.com or its other online properties; cross-site request forgery (CSRF) and cross-site scripting (XSS); potential for information disclosure; remote code execution; timing attacks that prove the existence of a private repository, user or reservation; and the ability to brute-force reservations, MileagePlus numbers, PINs or passwords.

Non-customer-facing sites, partner or third-party websites or apps and a few others are not eligible for bounties. But notably, neither are those in critical systems like onboard Wi-Fi, entertainment systems or avionics.

The payout structure is based on the severity and impact of bugs (all bugs must of course be new discoveries). It ranges from the aforementioned 1 million frequent miles to 50,000 for CSRF, XSS and third-party code loaded by United sites.

Award miles will be provided only to the first researcher who submits a particular bug, who must be a MileagePlus member in good standing.

“We believe that this program will further bolster our security and allow us to continue to provide excellent service,” the airline said. “If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we’ll gladly reward you for your time and effort.”

What’s Hot on Infosecurity Magazine?