United Airlines has announced that it has begun a rewards program for security researchers willing to search for security vulnerabilities affecting its websites, apps, and online portals. Those who find and disclose the security issues to the company will be rewarded with miles that can be used for the company’s Mileage Plus loyalty program for free flights. Rewards range from 50,000 miles for “low” severity flaws to 1,000,000 miles for security flaws deemed severe.
United says that its new rewards program is the first of its kind within the airline industry. United wrote on its website “We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program. We believe that this program will further bolster our security and allow us to continue to provide excellent service.”
The United program specifically excludes bugs on onboard Wi-Fi, entertainment systems or avionics. The company warned of possible criminal and legal investigations for any testing of live systems on planes or aircraft systems. If you think you’ve discovered a bug eligible under the program, you can email United at email@example.com and include “Bug Bounty Submission” in the subject line.
The launch of the reward program follows an incident that occurred aboard a United Airlines flight last month. While flying on a United 737/800, Chris Roberts, founder and CTO of One World Labs, posted a tweet about possibly accessing the plane’s network to see if he could affect the passenger oxygen masks. When the plane landed, Roberts was questioned by police and FBI agents and had his laptop and other electronics confiscated.
Several reports have recently surfaced warning that planes may be vulnerable to Wi-Fi hacking by a determined hacker. The Government Accountability Office recently issued a report regarding unsecured connections between the passenger Wi-Fi networks and avionics systems possibly allowing a hacker to access the navigational controls of Boeing and Airbus planes, effectively commandeering the aircraft. The FBI and TSA also issued a joint alert about the possibility of such an incident and advised airlines to watch out for network intrusions.