United Airlines showers air miles on bug bounty researchers

A few hours work, one million air miles.

screen-shot-2015-07-14-at-09-35-18.png
United Airlines

United Airlines' new bug bounty program is dishing out the rewards -- granting one researcher a massive 1,000,000 air miles for a reported security vulnerability.

United's bug bounty program was launched in May this year. Joining the ranks of Facebook, Google and Microsoft to name but a few, in keeping with the firm's industry, United offers air miles in return for vulnerability disclosures.

The program offers rewards for security flaws which impact on the "confidentiality, integrity and/or availability of customer or company information" on front-facing websites and third-party services used by the airline. Rewards range from 50,000 to 1,000,000 air miles per vulnerability, depending on the severity of the problem.

Security researcher Jordan Wiens decided to poke around United's systems and managed to discover a remote code execution (RCE) flaw. Wiens' reward for disclosing the vulnerability was one million air miles, disclosed on Twitter:

screen-shot-2015-07-14-at-10-45-00.png

The researcher said it was "not technically challenging." The only detail revealed concerning the nature of the bug is that the flaw was an RCE-based problem. As noted by security firm Sophos, RCE issues can allow unauthenticated attacks to gain entry to systems, inject malicious code and manipulate applications -- a concept you do not want to have to tackle as an airline, when customer safety could be placed at risk.

See also: Bug bounties: 'Buy what you want'

Wiens said:

"The RCE probably wasn't in critical parts of the network. I actually expected less miles since it didn't seem as important."

The flaw was submitted on May 15, and United responded on May 19. The vulnerability was accepted as valid on June 24 and the researcher was paid on July 10. Wiens said United "overpaid" for the bugs, which he described as "effective [..] but boring."

That might be the case, but his plans to take his wife to Hawaii can't be bad for a bug which didn't take too long to find.

Read on: Top picks