If you have some extra time this summer, spend it on United Airlines" site - even if you don"t plan on a vacation. If you look in the right places, United may reward your diligence.
That"s the plan for the Chicago-based airline, which intends to crowdsource its security testing to patch any holes, bugs, or potential exploits which could be present in its web platforms before they are exploited.
United calls it the "Bug Bounty Program," which will award good web Samaritans who find bugs on customer-facing websites and apps with up to 1 million miles. The airline will offer miles to the first researcher who reports the exploit (provided they are a MileagePlus member) based on a tiered system, with more serious exploits earning higher mileage rewards.
Bugs of high severity will earn a maximum payout of 1 million miles, while low-severity bugs can net up to 50,000 miles. Here"s the full list, tier-by-tier:
High severity bugs (1,000,000 miles max)
- Remote code execution
Medium severity bugs (250,000 miles max)
- Authentication bypass
- Brute-force attacks
- Potential for PI disclosure (full name, address, etc.)
- Timing attacks
Low severity bugs (50,000 miles max)
- Cross-site scripting
- Cross-site request forgery
- Third-party issues that affect United
There are some bugs that aren"t eligible for submission: those which only affect legacy browsers, bugs on internal United websites, and bugs onboard United flights (like in-flight WiFi, entertainment systems, and avionics), among others.
And the bug bounty comes with a warning: if you find any vulnerabilities, don"t attempt to exploit them. Doing so will result in disqualification from the program, as well as criminal prosecution - and most computer crimes are felonies.
Anyone who thinks they"ve found a potential bug can submit it to bugbounty@united.com. Include the nature of the bug, steps required to replicate it, full legal name, and phone number in the body - but make sure you"re a MileagePlus member, or else you won"t receive the bounty.