The airline will reward those who find and disclose vulnerabilities affecting its websites, apps, and online portals.
Heads up, security researchers. It’s time to do some bug hunting in exchange for free flights.
United Airlines has announced that it will start rewarding security researchers who discover and disclose vulnerabilities in its websites, apps, and online portals.
“We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program,” United wrote in a note on its website. “We believe that this program will further bolster our security and allow us to continue to provide excellent service.”
The move to launch a bug bounty program follows an incident last month involving security researcher Chris Roberts, who posted a tweet while aboard a United Airlines flight about accessing his plane’s network to see if he could mess with passenger oxygen masks. When the plane landed, Roberts was stopped and questioned by FBI agents, who seized his laptop and other electronics.
United called its new program “the first of its kind within the airline industry” but it may not go far enough. The program specifically excludes “bugs on onboard Wi-Fi, entertainment systems or avionics” — potentially the most critical vulnerabilities airlines face.
In light of recent reports that planes may be vulnerable to Wi-Fi hacks, the FBI and TSA last month issued a joint alert advising airlines to watch out for network intrusions. The agencies said they have no evidence that an attacker could take control of a plane’s navigation system through the passenger Wi-Fi or in-flight entertainment (IFE) network, but are taking the possibility seriously.
That came after the Government Accountability Office recently highlighted the risk of unsecured connections between the passenger Wi-Fi networks and avionics systems. The GAO said that hackers may be able to access the navigational controls of Boeing and Airbus planes, and commandeer the aircrafts.
Meanwhile, instead of paying out bounties in cash, United is planning to reward researchers with mileage points. Bounties range from 50,000 miles for “low” severity flaws like cross-site scripting to 1,000,000 miles for remote code execution bugs.
If you think you’ve discovered an eligible bug, email United at firstname.lastname@example.org and include “Bug Bounty Submission” in the subject line. For more information about the program, head over to United’s website.