United Airlines bug bounty shells out 1.8M miles for three flaws

14 flaws nixed by crowdsourced code-hunters

United Airlines has paid 1.5 million flight miles to two bug hunters who squelched 14 vulnerabilities under its newly hatched bug bounty program.

Florida man Jordan Wiens reported two remote code execution bugs to the airline but could not detail the technical aspects given the program's non-disclosure agreement.

The program was launched in May. A cross-site scripting flaw will attract 50,000 air miles, while a more serious authentication bypass flaw or a method for carrying out a denial-of-service attack could earn 250,000 miles. The top million-mile payout is awarded for problems that would allow remote code execution on United's online properties.

"I stumbled across two potential problems that I wasn't even sure qualified for the bug bounty," Wiens says.

"The flaws could potentially allow remote code execution, but they were in a portion of United's websites that I wasn't sure would count for the bounty and didn't seem technically interesting.

"Still, it didn't hurt to send them the info to make sure potential problems got fixed, so away went the report."

He thanked the airliner for its payment which will allow the hacker to clock a very large amount of air time, and added he would like to see the program opened up such that bug hunters can published details of their patched hacks.

Melbourne, Australia, bug hunter Nathaniel Wakelam bagged half a million United Airlines miles for a single bug he found 16 May.

He says he found a dozen further flaws, the most severe of which could have allowed for unauthorised access to data.

Wakelam, like Wiens, could not be more specific about the flaws under the program's rules.

"I found a handful of issues ranging in severity, some of which were of a high impact," he told Vulture South.

"I've been rewarded 500,000 miles for a bug I found on May the 16th and I still have several bugs pending.

"Overall, I probably dedicated ~10 hours to their bug bounty program."

Third bug hunter Neal Poole says he bagged 300,000 miles for a bug submitted this month.

The United Airlines security bods behind the bug bounty have been widely praised by bug hunters for their efforts in getting the program off the ground.

The points bounties will buy you plenty of air time: United's calculator suggests an Australia-USA flight costs 80,000 points in economy class, or 350,000 in the pointy end of the plane. ®




Biting the hand that feeds IT © 1998–2018