United Airlines to Researchers: Come Report Bugs in Its App

A bug bounty program was announced by United Airlines this week, inviting researchers, security professionals and penetration testers to report bugs in its apps, online portals and websites.

The announcement comes hot on the heels and merely weeks after the airline ejected a security researcher off of its flight for tweeting about vulnerabilities in cybersecurity on-board the plane.

“We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry,” United said. “We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we’ll gladly reward you for your time and effort.”

Frequent Flier Miles for Hackers.

United highlights that its Bug Bounty Program is an industry first, with the airline awarding air miles to people who find bugs. The rewards are:

  • 50,000 air miles for a low-severity issue, such as cross-site scripting.
  • 250,000 air miles for medium-severity. Authentication bypass, for instance.
  • 1,000,000 air miles for a high-severity issue, like remote code executions.

Curiously however, the announcement doesn’t invite hackers to look into and submit the most crucial vulnerabilities that can be found – such as those onboard computer networks, the Wi-Fi and inflight entertainment systems. The bounty program specifically excludes “bugs on onboard Wi-Fi, entertainment systems or avionics” and United notes that “[a]ny testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi” could result in a criminal investigation.

“At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure,” United’s announcement adds.

Chris Roberts, the cybersecurity expert who managed to get himself pulled off a United plane had this to say after the announcement (embed tweet) :

United says if you think you’ve found a bug, email bugbounty@united.com and include “Bug Bounty Submission” in the subject line. Don’t report the bug while on the plane though.