United Offering Up to 1 Million Mile to Hackers

United-Airlines-milesUnited Airlines is offering up to 1,000,000 miles to online security experts that report bugs on its Web site and mobile apps. That’s enough miles to buy five Around The World passes, each of which is good for up to 16 international flights.

It’s not unusual for tech companies to offer money to security researchers and hackers to report bugs. The practice helps companies take care of security concerns before private information, such as customers’ credit card numbers, are leaked. However, this is the first time we’ve heard of an airline offering miles rather than monetary compensation.

You don’t have to be a top-level security researcher to participate in this program, but United does have some stringent requirements. All bugs have to be new discoveries and United will only award miles to the first person that submits each big. The person submitting each bug must already be a MileagePlus member in good standing. And of course, people submitting the bugs can’t be the ones responsible for causing the problems in the first place. You can learn more at United’s Bug Bounty information page.

Low security bugs are what most people with limited security knowledge will be able to spot and United will reward those that find them 50,000 miles, enough for a domestic roundtrip flight. Medium security threats that have the potential to reveal personally identifiable information are worth 250,000 miles. High security threats, including remote code execution are worth the ultimate 1,000,000 prize. Remote code execution is a kind of threat that would allow hackers to control United’s Website, servers or apps illegally.

If you don’t understand what anything in the below table means, your best bet is probably to focus on earning United miles by signing up for a United MileagePlus card, which currently comes with 50,000 miles.

  • Remote code execution
  • Authentication bypass
  • Brute-force attacks
  • Potential for personally identifiable information (PII) disclosure
  • Timing attacks
  • Cross-site scripting
  • Cross-site request forgery
  • Third-party issues that affect United