/>
X

United Airlines showers air miles on bug bounty researchers

A few hours work, one million air miles.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on
screen-shot-2015-07-14-at-09-35-18.png
United Airlines

United Airlines' new bug bounty program is dishing out the rewards -- granting one researcher a massive 1,000,000 air miles for a reported security vulnerability.

United's bug bounty program was launched in May this year. Joining the ranks of Facebook, Google and Microsoft to name but a few, in keeping with the firm's industry, United offers air miles in return for vulnerability disclosures.

The program offers rewards for security flaws which impact on the "confidentiality, integrity and/or availability of customer or company information" on front-facing websites and third-party services used by the airline. Rewards range from 50,000 to 1,000,000 air miles per vulnerability, depending on the severity of the problem.

Security researcher Jordan Wiens decided to poke around United's systems and managed to discover a remote code execution (RCE) flaw. Wiens' reward for disclosing the vulnerability was one million air miles, disclosed on Twitter:

screen-shot-2015-07-14-at-10-45-00.png

The researcher said it was "not technically challenging." The only detail revealed concerning the nature of the bug is that the flaw was an RCE-based problem. As noted by security firm Sophos, RCE issues can allow unauthenticated attacks to gain entry to systems, inject malicious code and manipulate applications -- a concept you do not want to have to tackle as an airline, when customer safety could be placed at risk.

See also: Bug bounties: 'Buy what you want'

Wiens said:

"The RCE probably wasn't in critical parts of the network. I actually expected less miles since it didn't seem as important."

The flaw was submitted on May 15, and United responded on May 19. The vulnerability was accepted as valid on June 24 and the researcher was paid on July 10. Wiens said United "overpaid" for the bugs, which he described as "effective [..] but boring."

That might be the case, but his plans to take his wife to Hawaii can't be bad for a bug which didn't take too long to find.

Beach reads for tech junkies

Read on: Top picks

Related

Southwest Airlines has cancelled 20,000 flights. Now for the really bad news
screen-shot-2021-07-07-at-4-01-12-pm.png

Southwest Airlines has cancelled 20,000 flights. Now for the really bad news

Business
How to stop spam messages on your iPhone with this almost-secret hidden switch
messages.jpg

How to stop spam messages on your iPhone with this almost-secret hidden switch

Security
How to clean any flat screen TV or monitor
sample-image-16-9-red.jpg

How to clean any flat screen TV or monitor

TVs