Viral music videos aside, United Airlines does more than break guitars!
It also pays bug bounties of up to 1 million miles, and that’s exactly how Dutch security researcher Olivier Beg got to Defcon and Black Hat in Las Vegas last week.
Beg told Dutch Public Broadcasting that the flight to Vegas cost him 60,000 points, plus €5 out of pocket to cover tax.
Beg, who’s 19, reported a total of about 20 bugs to United, with the largest bounty netting him 250,000 miles.
He wasn’t at liberty to describe the bugs, but we do know that the airline pays out that much for medium-risk vulnerabilities, including login field bypass, brute-force attacks, and holes that might reveal personally identifiable information (PII), such as someone’s password.
United launched its bug bounty program 15 months ago.
Bug bounties, which reward security researchers for responsible disclosure of vulnerabilities, are of course offered by many tech companies, including Facebook, Google and Microsoft.
The bounties more typically come in the form of cash, rather than free miles: Google has even offered up to “infinity dollars” in its program, although most bounties are far less.
United’s rewards range from 50,000 in free air miles for low-level bugs (cross-site request forgery, bugs in third party software affecting United), to 1 million miles for the highest level kind of bug – remote code execution (RCE).
To qualify for a reward, hackers need to be signed up as members of the airline’s MileagePlus reward program – and they need to comply with a strict set of eligibility rules.
United was one of the first non-tech-specific companies to adopt a bug bounty program.
Lately, we’ve also seen bug bounties offered by the likes of the US Department of Defense, with its Hack the Pentagon program, as well as Tesla, General Motors, Fiat Chrysler, and others.
Since launching the bug bounty last year, United Airlines has rewarded at least two hackers with the million-mile prize for RCE flaws, including a vulnerability researcher from Florida and a Cisco employee.
As of a year ago, that 1 million mile prize translated into about 40 domestic round-trip flights in the US, 20 round-trip flights from the US to Europe, or eight first-class trips.
In other bug bounty news, Apple launched its own program last week.
As it is, when the FBI was looking for third parties to help it break into a terrorist’s iPhone, Apple caught some flak over its lack of a vulnerability rewards program: without a bug bounty program, there’s little incentive for researchers to share their findings directly with Apple.
The newly arrived program is invitation-only and nicely lucrative, with bounties that go up to $200,000.
Image of plane courtesy of Greg K__ca / Shutterstock.comShutterstock.
Bryan
Glad Apple’s created their own bug bounty program to supplant the FBI’s Apple Bug Bounty Program–would that be FBIABBP or just FABBP?
Rhia Knowles
What’s the point in an invitation only bug bounty program?
Paul Ducklin
Going through bug submissions can be a thankless task, because it requires you to be scrupulously objective and thorough even if you’re pretty sure up front that the bug report won’t qualify, or is already known, or is going to end up unrepeatable, or is incomplete and will need lots of back-and-forth to make it usable, and so on.
So having an invitation-only bug bountry programme isn’t as weird as it sounds, especially at the outset. You may as well start out with security researchers whom you already know and trust, whom you think are likely to come up with top-notch work, and who will probably give excellent early feedback about how well the whole process works.
Eddie Urbanski
Far less than infinity… really?
Guy
You beat me to it, Eddie!