United Airlines has paid out two million flight miles to two security researchers who uncovered 14 separate vulnerabilities in the company’s operation.
According to a CNBC report, United confirmed that it has paid out two awards worth 1 million miles each, but would not confirm that various tweets claiming smaller awards were accurate.
One of the men, Jordan Wiens, wrote on his blog: “I stumbled across two potential problems that I wasn't even sure qualified for the bug bounty. The flaws could potentially allow remote code execution, but they were in a portion of United's websites that I wasn't sure would count for the bounty and didn't seem technically interesting. Still, it didn't hurt to send them the info to make sure potential problems got fixed, so away went the report.”
Wiens went on to thank the airline for running the bughunter programme, saying: “Not many non-tech companies have a bug bounty program at all, so hopefully this will be a good experience and they'll consider gaining even more trust from the community by allowing discussion of fixed bugs.”
The payout is the largest so far in United Airlines bug bounty program that launched back in May. Bounties range from 50,000 air miles for a cross-site scripting flaw, with a more serious authentication bypass flaw clocking up 250,000 miles. The gold standard million-mile award is for uncovering a flaw that allows remote code execution on United's online properties, reports The Register.
"We believe that this program will further bolster our security and allow us to continue to provide excellent service," United said on its website.