United Airlines offers air miles for vulnerability information

United Airlines has become the first airline to start a bug bounty program and instead of monetary rewards, it offers air miles: a million for remote code execution bugs, 250,000 miles for medium severity vulnerabilities (authentication bypasses, timing attacks, etc.), and 50,000 for cross-site scripting and cross-site request forgery flaws, as well as third-party issues that affect the company.

Only members of its MileagePlus program can apply, so bug hunters who aren’t will have to become members before sending in their submission.

The bug bounty program encourages researchers to find vulnerabilities in the company’s customer-facing websites, its app, and third-party programs loaded by united.com or its other online properties.

Bugs that only affect legacy or unsupported browsers, plugins or operating systems will not be taken into consideration for rewards, and so will not bugs on the company’s internal sites, partner sites, or bugs on onboard Wi-Fi, entertainment systems or avionics.

In fact, testing and searching for bugs in the company’s aircrafts or aircraft systems such as inflight entertainment or inflight Wi-Fi could lead to “permanent disqualification from the bug bounty program and possible criminal and/or legal investigation.”

This particular injunction is probably (at least partially) a result of the recent hubbub raised by a tweet made by security researcher Chris Roberts, in which he joked about probing the systems of the airplane he was on for vulnerabilities.

The company similarly forbids brute-force and DoS attacks, code injection on live systems, physical and social engineering attacks against United employees, employees of partner airlines, and customers, fiddling with MileagePlus accounts that are not the researcher’s, and automated scans on United servers.