Photo: Bernal Saborio/Flickr
Two months ago, United Airlines launched its bug bounty program, promising to reward any computer programmer or researcher who could find flaws or vulnerabilities in its website or app. This week, the airline put its money where its mouse is, paying 1,000,000 miles to security researcher Jordan Wiens.
Wiens, who runs his own Florida-based security company, submitted what he described as a couple of “lame” bugs to United and was surprised that they qualified for the airline’s highest payout (and according to ThreatPost, that million-mile reward is the first of its kind for a major airline). Although Wiens isn’t permitted to disclose exactly what he found, it was a remote code execution bug, a serious vulnerability that could “allow an unauthenticated attacker to remotely inject code into a program and get it to run.”
So how far can Wiens go on a million miles? He could take at least one round-the-world trip in first class or around forty coach-class domestic flights, but the first ones he’ll cash in will be for a trip to Hawaii with his family. He told Fox 13:
I have been telling the wife for awhile that I am going to take her to Hawaii. But that’s probably not going to cut it anymore. She’s like, ‘You’ve got to do better than Hawaii.’
Now that United has made its first major payout, maybe more ethical hackers – and ethical is the key adjective – will be inspired to look around its site. It seems like the airlines could use a bit of IT assistance. In April, professional hacker Chris Roberts wasn’t allowed to board his United flight – and was briefly detained – after pointing out onboard security issues and claiming to have connected his laptop to the CAN data bus on other flights (sorry Chris, those issues aren’t part of the bounty program).
Also in April, more than 70 American Airlines flights were grounded because of a software glitch on the pilots’ iPads. And just last week, hundreds of United flights were delayed or grounded outright due to a “network connectivity issue” caused by a faulty router.
Hey United, have you tried turning it off and on again?