United Airlines has become the first company in the airline industry — and one of the few non-software vendors — to launch a bug disclosure bounty program for third-party security researchers who flag vulnerabilities in its software.

Under the program, United will offer free miles to researchers who report bugs in the company’s websites, customer-facing applications and online portals. The rewards range from 50,000 miles to 1 million miles, depending on the severity of the disclosed bug.

Elite Group

The announcement puts United among a handful of non-technology vendors that have launched bug bounty programs to try to identify problems in their software. A list maintained by vulnerability assessment firm Bugcrowd shows that more than 300 organizations currently offer reward programs for responsible software vulnerability disclosures. Almost all of them are software vendors or Web companies.

Bug disclosure programs give security researchers an incentive to find and report bugs in software platforms in a responsible manner. They also offer organizations a way to identify vulnerabilities in their systems that might otherwise have been overlooked.

Surprisingly Effective

Reward programs have proven surprisingly effective for software vendors, and there’s no reason why United shouldn’t benefit from it, as well, said Contrast Security CTO Jeff Williams to SecurityWeek. Restricting the program to only Web-facing applications to start will give United Airlines an opportunity to learn how to handle flaw disclosure reports, he said.

United announced that its vulnerability disclosure program will reward security researchers who find authentication bypass flaws or bugs in the company’s official websites. Disclosures involving third-party programs and common issues such as cross-site request forgery, cross-site scripting, remote code execution and timing attacks are also eligible for rewards.

Disclosures involving remote code execution flaws qualify for a reward of 1 million miles. Medium risks like authentication bypass and timing attacks are eligible for 250,000 miles, while low-security flaws like cross-site scripting will get 50,000.

Program Caveats

In a bid to discourage security researchers from running penetration tests on in-flight systems and equipment, United has explicitly banned certain categories of flaws from its bug disclosure program. For example, security researchers who look for and report bugs in United’s onboard Wi-Fi, entertainment systems and avionics equipment will not be rewarded for the effort.

Poking around such equipment could actually get researchers into trouble. Anyone who executes brute-force attacks against its systems, performs code injection in live systems or launches denial-of-service attacks on any of the United systems could face criminal prosecution, the company warned when launching the program. Penetration tests that compromise the airline’s MileagePlus frequent flier program and any automated scans on the company’s networks could incur a similar consequence, United warned.

Recent Controversy

United’s decision to launch its bug bounty program follows a recent controversy where it banned a security researcher from one of its flights for certain tweets he made about his ability to manipulate airline equipment and aircraft systems, USA TODAY reported. It’s unclear if the incident prompted United to launch the program or if this was something the airline has had in the works for some time.

The challenge for United will be to find a way to manage the program. While bug bounty programs can be beneficial, they can be costly to manage, Williams said. Organizations of United’s size can often have hundreds or even thousands of applications, and handling bug disclosure across them can be difficult. Often, reported flaws may not actually be vulnerabilities, but United will need to follow through and verify each report all the same to make sure there’s no risk.

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read