Gogo, a familiar provider of Wi-Fi for anyone who flies, has announced the launch of its bug bounty program with Bugcrowd. The payouts will range from $100 - $1,500 per bug.
The inflight internet and entertainment provider is looking to build a public bug bounty program that will leverage Bugcrowd’s entire crowdsourced community of cybersecurity researchers. It plans to test both Gogo's ground-based public website, as well as Gogo's airborne systems, for security vulnerabilities.
The ground based public website gogoair.com is the first point of entry for users to create a user account and get pricing information. The sub-domain buy.gogoair.com handles account creation and handles credit card processing.
The airborne network on the gogoinflight.com domain is only live on Gogo-equipped aircraft, and for testing of the airborne systems, researchers will only be able to access these systems while flying. This domain and sub-domains act as an internet gateway/proxy and also serve video content to customers on the plane for on-demand content as well as watching live TV.
Researchers also are free to test any services running on the aforementioned hosts.
“Our goal with this program is to ensure that Gogo's customers and employees are using a secure platform that's free of security vulnerabilities,” the company said. “We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at Gogo. Every day new security issues and attack vectors are created. Gogo strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure environment.”
Interested white hats should make sure to include all remediation steps to fix any discovered vulnerabilities with his or her submission.
“Since we are testing real world scenarios, no elevated credentials will be provided for researchers,” the company added. “All researchers will need to create free user-level accounts to test elevated portions of the website (e.g., create an account to access credit card transaction pages, etc.). Similarly, there are no test credit cards/data that can be used for testing purposes—all actions/transactions will be live/real.”
Any and all usage of DDoS botnets against the websites are forbidden.
Photo © Alex Brylov