United Airlines wants to reward you for hacking its system. That is, it wants hackers to find flaws in its security — and plans on giving out miles to show its thanks.
Photo credit: Jorg Hackemann/Shutterstock.com
United announced its "Bug Bounty Program" this week, which it says is the "first of its kind within the airline industry," inviting people to find bugs on its website, apps and online portals in order to improve safety and security.
"If the submission meets our requirements, we’ll gladly reward you for your time and effort," the program website stated.
A bug of the highest severity could see up to 1 million mileage reward points, while a low severity bug could earn up to 50,000 points.
Here are United's Bug Bounty Program rules:
- All bugs must be new discoveries. Award miles will be provided only to the first researcher who submits a particular bug.
- The researcher must be a MileagePlus member in good standing. If you’re not yet a member, join the MileagePlus program now.
- The researcher must not reside in a country currently on a United States sanctions list.
- The researcher submitting the bug must not be an employee of United Airlines, any Star Alliance™ member airline or any other partner airline, or a family member or household member of an employee of United Airlines or any partner airline.
- The researcher submitting the bug must not be the author of the vulnerable code.
United said it is not seeking, nor will it reward, hackers finding bugs in its onboard Wi-Fi, entertainment or avionics systems. The airline said brute-force attacks or denial-of-service attacks, among others, could be subject to criminal prosecution.
Last month, United stopped a prominent security researcher from boarding a California-bound flight, following a social media post by the researcher days earlier suggesting the airline's onboard systems could be hacked.
The researcher, Chris Roberts, attempted to board a United flight from Colorado to San Francisco to speak at a major security conference in April, but was stopped by the airline's corporate security at the gate. Roberts founded One World Labs, which tries to discover security risks before they are exploited.
Roberts had been removed from an earlier United flight by the FBI after landing in Syracuse, New York, and was questioned for four hours after jokingly suggesting on Twitter he could get the oxygen masks on the plane to deploy. Authorities also seized Roberts' laptop and other electronics, although his lawyer says he hasn't seen a search warrant.
"Given Mr. Roberts' claims regarding manipulating aircraft systems, we've decided it's in the best interest of our customers and crew members that he not be allowed to fly United," airline spokesman Rahsaan Johnson told the Associated Press at the time. "However, we are confident our flight control systems could not be accessed through techniques he described."
Learn more about the Bug Bounty Program on United's website.
(H/T: PC World)
The Associated Press contributed to this report.