United Airlines is launching a bug bounty program inviting researchers to report bugs in its websites, apps and online portals.
"We believe that this program will further bolster our security and allow us to continue to provide excellent service," United says. "If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort."
If a researcher discovers bugs in the system which affect the "confidentiality, integrity and/or availability of customer or company information," through customer-facing websites and third-party programs used by United, they may be eligible for reward. Low-severity rated vulnerabilities, such as cross-site scripting, cross-site request forgery and third-party problems which affect United are worth 50,000 air miles, reported ZDNet.
However, medium-severity problems, such as authentication bypass, brute-force attacks, timing attacks and security problems which could lead to personally identifiable information disclosure are worth far more, clocking in at 250,000 miles per vulnerability, said ZDNet.
Hhigh-severity vulnerabilities related to remote code execution are worth a maximum of 1,000,000 air miles.
"Security researchers must be MileagePlus members in order to submit a vulnerability and potentially collect their rewards. In addition, bugs that only affect legacy systems or unsupported browsers, plugins and operating systems are not eligible; onboard Wi-Fi, entertainment systems and avionics are also out-of-bounds. Vulnerabilities in internal websites used by United employees are also not eligible for rewards," said ZDNet.
The airline says brute-force attacks, code injection on live systems, DDoS attacks, testing on MileagePlus accounts that are not your own and testing on in-flight systems will result in disqualification and possible criminal investigation.