Hackers Awarded 1 Million Air Miles for Finding Bugs

One million frequent-flier air miles were awarded to two hackers each for finding holes and vulnerabilities in the airline’s network and computer systems.

United Airlines has rewarded two hackers with a million air miles each for spotting and making the airline aware of security holes on its website, according to a report in USA Today.

Luke Punzenberger, a United spokesman said that two security researchers have been awarded the maximum of a million air miles each while others also received smaller awards. A million air miles compares to:

  • 20 round-trips in the US.
  • Many first-class round trips to Asia.
  • 5 circumnavigating trips around the world.

“We’re confident that our systems are secure,” said Punzenberger, who declined to speak about the flaws and vulnerabilities that the hackers had discovered. He further added that the hackers’ information had already been turned over and relayed to the airline’s security researchers.

Bug Bounty Programs

Tech companies and security firms routinely offer bug bounty programs, encouraging security researchers and experts to find bugs in their software and networks. Companies such as Google and Facebook have long-standing bug-bounty programs. However, such programs are uncommon in the transportation industry and United says it’s the first airline to do so. With the novel idea of offering frequent flyer miles instead of cash, United has garnered the attention of the white-hat hacking community.

“I don’t usually do bug bounties for several reasons, but United made the reward seem worth the effort,” said Kyle Lovett, one of the winning hackers. Lovett did not disclose details of the bug he found, but he did insist that it “wasn’t a trivial” vulnerability.

Employed at Cisco, Lovett said that he discovered and documented the bug in only two hours and added that United quickly patched the bug he discovered.

Jordan Wiens was the other hacker to be awarded a million air miles. He is the co-founder of a cybersecurity firm called Vector35 and posted a screenshot of his United mileage account with an accompanying tweet on Twitter.

United first announced the bug bounty program back in May. At the time, the airline released a statement saying, “We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry”.

“We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we’ll gladly reward you for your time and effort.”