United offers reward miles to hackers who report security flaws

Hackers and cybersecurity researchers can now earn thousands of frequent flier miles for every bug discovered in the airline's website or mobile applications.

United Airlines is offering ethical hackers and cybersecurity researchers frequent flier miles for reporting discoveries of new vulnerabilities in the company’s website and mobile applications.

The company posted information Thursday about its so-called Bug Bounty Program on its website and claims it is the first such program to be offered by an airline.

The program “permits independent researchers to discover and report issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug,” according to the posting on United’s website.

United is offering 50,000 reward miles for low severity vulnerabilities, such as cross-site scripting. Medium severity risks, like brute force attacks, authentication bypasses or anything that could potentially lead to the loss of personally identifiable information, will earn researchers 250,000 miles. And the highest severity attack — remote code execution vulnerabilities — will earn a lucky hacker 1 million reward miles, which is more than enough for two roundtrip tickets from the U.S. to China.


A screen grab from United’s Bug Bounty Program webpage (

The catch

Hackers that want to take part in the program must abide by strict rules established by United. For example, anybody caught running vulnerability scans against aircraft Wi-Fi systems, entertainment systems or avionics will face permanent disqualification from the program and could face criminal charges.

In addition, those interested in participating must be current members in good standing of United’s MileagePlus program and cannot reside in a country on a U.S. government sanctions list. Researchers also cannot be the author of the code in which the vulnerabilities are discovered or work for United Airlines. Hackers that meet those criteria simply need to be the first person to report the bug.

Kandy Zabka, vice president of cybersecurity and threat intelligence at Houston, Texas-based Dark Data Service LLC, called United’s decision to launch a bounty program “brilliant” and said it’s a great opportunity for a large pool of cyber talent.


“I know so many talented coders who cannot get jobs, but are honest people. This is one way to deflate the current trend of hacking just to hack or trying to get money illegally,” Zabka said. “I think all companies should offer bounties.”

An increasing number of companies are offering public bug bounty programs. According to the website, which maintains a list of such programs, there are 119 known bug bounty programs offered by the likes of Etsy, Microsoft, PayPal, Snapchat, Starbucks and others.

The United Bug Bounty Program comes just a few weeks after the airline banned security researcher Chris Roberts from flying on the company’s aircraft after Roberts tweeted about cyber vulnerabilities in onboard cyber systems while flying from Chicago to Syracuse, New York. Upon landing, he was met by FBI agents who confiscated his computer and questioned him for hours. He acknowledged to agents that he had scanned onboard systems during previous flights.

When he learned of United’s new bounty program, Roberts sent out the following tweet:


Security researcher Chris Roberts sent this tweet after learning of the United bounty program. Roberts was detained and question by the FBI last month for tweeting about aircraft cyber vulnerabilities. United then banned him from flying.

Latest Podcasts