I f the official Internet web site of United Airlines does not work properly, you now could be part of the reason if you did not act upon the new Bug Bounty program from which you could earn up to one million MileagePlus frequent flier loyalty program miles, pardner.
The Bug Bounty program — which is considered as an “experimental and discretionary reward program” — is an innovative idea which is indeed the first of its kind in commercial aviation which could potentially further bolster security and allow United Airlines to continue to provide excellent service; but to ensure that submissions and payouts are fair and impactful, the following eligibility requirements and guidelines apply to all researchers who submit bug reports:
- All bugs must be new discoveries. Award miles will be provided only to the first researcher who submits a particular bug.
- The researcher must be a MileagePlus member in good standing. If you’re not yet a member, join the MileagePlus program now.
- The researcher must not reside in a country currently on a United States sanctions list.
- The researcher submitting the bug must not be an employee of United Airlines, any Star Alliance member airline or any other partner airline, or a family member or household member of an employee of United Airlines or any partner airline.
- The researcher submitting the bug must not be the author of the vulnerable code.
Bugs Which are Eligible for Submission
- Authentication bypass
- Bugs on customer-facing Internet web sites such as:
- united.com
- beta.united.com
- mobile.united.com
- Bugs on the United Airlines mobile software application program
- Bugs in third-party programs loaded by united.com or its other on-line properties
- Cross-site request forgery
- Cross-site scripting — also known as XSS
- Potential for information disclosure
- Remote code execution
- Timing attacks that prove the existence of a private repository, user or reservation
- The ability to brute-force reservations, MileagePlus numbers, PINs or passwords
Bugs Which are Not Eligible for Submission
- Bugs that only affect legacy or unsupported browsers, plugins or operating systems
- Bugs on internal sites for United employees or agents — not customer-facing
- Bugs on partner or third-party websites or apps
- Bugs on onboard Wi-Fi, entertainment systems or avionics
- Insecure cookie settings for non-sensitive cookies
- Previously submitted bugs
- Self-cross-site scripting
Bounty Payout Structure
The chart shown below is the bounty payout structure, which is based on the severity and impact of bugs:
| Severity | Examples | Maximum Payout |
|---|---|---|
| High |
Remote code execution |
1,000,000 MileagePlus miles |
| Medium |
Authentication bypass |
250,000 MileagePlus miles |
| Low |
Cross-site scripting |
50,000 MileagePlus miles |
How to Submit
If you think you have discovered an eligible bug, United Airlines is interested in working with you to resolve the issue — but you should follow these four steps:
- Please send an e-mail message to bugbounty@united.com and include “Bug Bounty Submission” in the subject line.
- Within the body of the e-mail message, please describe the nature of the bug along with any steps required to replicate it — as well as pertinent applications, programs or tools used to discover the bug.
- Include your legal name, MileagePlus membership account number, and telephone number with your submission.
- A drafted report including legible screenshots is greatly appreciated.
Summary
Yup — so tilt that ten-gallon hat of yers and consider yerself deputized by this grand ol’ company which conducts a significant portion of its business in Texas, pardner. Discover and report those issues which affect the confidentiality, integrity or availability of customer or company information — and you could be rewarded handsomely for being the first to discover a bug, as you ride off into the sunset with your bounty of MileagePlus miles…
…but also realize that many other terms and conditions apply pertaining to your participation in the Bug Bounty program; so approach your varmint with caution…
…and for the record, I believe that other frequent travel loyalty programs should implement similar programs to improve stability and security of their Internet web sites and stored sensitive information; and perhaps compromises and breaches — such as the ones with Starwood Preferred Guest, Hyatt Gold Passport, British Airways Executive Club, Hilton HHonors and other frequent travel loyalty programs — could be mitigated or even eventually eliminated.
Photograph ©2015 by Brian Cohen.
