United Airlines will begin rewarding people that find bugs in their website or mobile applications. Kind of.
Wired is reporting that United Airlines has instituted a program that will give airline miles to persons who report possible security issues on United Airlines’ website and mobile app. The new bug bounty program comes after security researcher Chris Roberts found vulnerabilities in United Airlines’ WiFi and entertainment network on certain models of planes made by Boeing and Airbus.
The bug bounty program, however, does not cover those on-plane vulnerabilities, just those on the website and on the mobile app. United Airlines has announced that “any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi” may result in criminal investigation and, possibly, prosecution.
“At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure,” United Airlines’ announcement reads.
United has announced that they have devised a mileage point payout system, ranging from 50,000 points for reporting a cross-site scripting vulnerabilities, 250,000 points for obtaining customer information, to 1 million points for high-security vulnerabilities that would allow a hacker to rewrite code on either the United Airlines website or app. In contrast, businesses such as Google, Facebook, and Microsoft pay out $1,500 to $200,000 in cash, depending on the type and severity of the vulnerability.
According to Forbes, United Airlines has yet to comment on this new program, as it was just released today. Roberts, for his part, feels that as long as United Airlines doesn’t use the bug bounty program against him in court, it will serve its purpose for both United Airlines and its customers. Roberts, who was removed from his flight after tweeting about his discovery and his equipment confiscated, is still waiting for his equipment to be returned.
United Airlines is trying to convince the populace that this is a good thing, even if the reward is only usable with United Airlines, and United is somewhat reluctant to thank those who find these security issues publicly, expecting their payment to be sufficient reward in this case.
“We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service,” United said.
[Image courtesy of Under Consideration]