United Airlines is offering up to a million air miles to hackers who can find security bugs in its network.
The move comes amid increasing cybersecurity threats to businesses, with the cost of data breaches likely to hit $2.1 trillion globally by 2019, four times the 2015 figure, according to Juniper Research.
On its website, United Airlines lists the types of threats that are eligible for submission into its so-called “bug bounty program”. These include finding bugs on customer facing websites, flaws in the United app, and attacks that compromise the private credentials of users.
The amount of air miles awarded depends on the severity of the bug discovered. For a so-called “ethical hacker” to receive a million air miles, they must uncover what is known as a “remote execution code” — a security flaw that allows hackers to infiltrate a network from a remote location.
The reward for uncovering a medium severity bug is 250,000 air miles, and people who discover low level bugs will receive 50,000 air miles.
But United is not keen on ethical hackers playing around with its in-plane systems and said that bugs found on “onboard Wi-Fi, entertainment systems or avionics” were not eligible for submission.
Asking professional hackers to find flaws in a business’s network is not a new tactic, but United is one of the first airlines to try it. Last year, the Bank of England employed ethical hackers — also known as “white hat” hackers — to test the defenses of Britain’s biggest banks.
Often companies struggle to find the required expertise to deal with the increasingly complex landscape of cybersecurity. By letting external hackers have a pop at a network, a company can tap this experience and find flaws that can then be patched up.
“This is a really smart move by United Airlines, as crowdsource testing for security weaknesses can be hugely valuable to organizations,” Jason Steer, chief security strategist at FireEye, said in a statement.
“Its bug bounty is a novel way to incentivize white hat hackers to look for weaknesses in its system, and a great way to save them money whilst increasing its security.”
But United warned that hackers should not attempt such things as injecting malicious code into live systems, coercion or extortion of the airline’s employees. Anyone who did would face disqualification from the bug bounty program and a possible legal investigation.
First published May 15 2015, 6:57 AM