US flight operator United Airlines has launched a reward programme for security experts who reveal vulnerabilities in the software used on its web sites.
Programmers can earn up to one million air miles, enough for a first-class flight or two, for finding the most serious bugs related to remote code execution, but the airline said its in-flight software systems were not part of the bug bounty programme.
The move comes soon after the US government warned about the security of software used for in-flight systems. Bugs in firewalls used in software that support in-flight entertainment could give attackers a way to get at control systems, it said.
“We believe that this program will further bolster our security and allow us to continue to provide excellent service,” United said. “If you think you have discovered a potential bug that affects our web sites, apps and/or online portals, please let us know.”
Any potential vulnerabilities in the system which affect the confidentiality, integrity and availability of customer or company information may be eligible for the reward.
Low-severity rated bugs such as cross-site scripting, cross-site request forgery and third-party problems that affect United are worth 50,000 air miles.
Medium-severity problems including authentication bypass, brute-force attacks, timing attacks and security problems which could lead to personally identifiable information disclosure are worth far more, clocking in at 250,000 miles per vulnerability.
While it’s starting to become common practice for technology companies like Google, Microsoft or Facebook to reward programmers who find security bugs in their code, United is the first airline to set up and run a bug bounty programme.
Security researchers must be MileagePlus members in order to submit a vulnerability and potentially collect their rewards.