In what appears to be the first bounty program ever offered by an airline, United is now giving away free miles to security researchers who report dangerous bugs in its website and apps.
United’s new, seemingly pro-active stance on cybersecurity comes weeks after the airline booted security researcher Chris Roberts off one of its flights for posting a tweet that referenced vulnerabilities in the on-board computer networks of certain United airplanes. Ironically, the new bounty program explicitly forbids researchers from reporting bugs in onboard systems, noting that “testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi” could result in criminal investigations.
It sounds like more of a PR stunt than anything, and a pretty misguided one at that. Roberts, who was detained and interrogated by the FBI following his jest about oxygen masks, has been voicing concerns for years about network vulnerabilities that could allow hackers to access avionics systems and critical in-flight controls. He may have also proven this himself: In a warrant application released yesterday, Roberts claims to have hacked the in-flight networks on more than a dozen planes and, in one instance, to have briefly taken control of an airplane and caused it veer sideways.
If this turns out to be true, Roberts will probably end up behind bars. But his actions also underscore the fact that airlines ignore security warnings at their peril.
Then again, if you’re a hacker and a United MileagePlus member, it might be worth your while to scour the website for bugs. You could also get paid actual money to do similar work for Microsoft or Google, and use the cash to purchase a flight on whatever airline you like. [Wired]