Two months after United Airlines launched a bug-bounty program to reward researchers who report flaws in the company's web site and apps, a researcher has received 1 million air miles in the first reward given.
After submitting information to United about a remote-code execution flaw in the airline's web site, Jordan Wiens was awarded his mileage last week. It was the first time Wiens, owner of the Florida-based security firm Vector 35, had submitted to a bug-bounty program.
United is the first airline to launch a bug bounty program. The company announced the program in May, after receiving harsh criticism for banning a security researcher from one of its flights.
United offers bounty submitters only air miles as a payout, rather than cash, as most vendor bug bounty programs do. The amounts paid by other bounty programs can vary between $500 and $250,000. The cash value of the 1 million miles Wiens received is about $25,000.
The miles United will pay out depend on the type of bug reported. The airline will award 50,000 miles for cross-site scripting bugs, for example. An authentication bypass bug can earn 250,000. But remote-code execution flaws—which allow an attacker to remotely run whatever malicious code they want on a vulnerable web site or system—earns the top payout.
“There were actually two bugs that I submitted that I were pretty sure were remote code execution, but I also thought they were lame and wasn’t sure if they were on parts of the infrastructure that qualified,” Wiens told the ThreatPost security blog. “My expectation was that they counted, but I figured they’d award me 50,000 miles or something smaller.”
Instead, after confirming he was a US citizen and that his research was done in the US, United told him to check his mileage account, where he discovered the massive deposit.
