Bug-bounty programs: They’re not just for software giants anymore.
United Airlines recently announced that it would pay out a million frequent-flyer miles to anyone who discovers a remote code execution bug in its websites, apps, other online properties, or third-party programs loaded by United.com.
The airline is also willing to give a quarter-million frequent-flyer miles to anyone who discovers bugs that enable timing attacks, personally identifiable information (PII) disclosure, brute-force attacks, and authentication bypass. Those developers and bug-hunters who uncover vulnerabilities related to cross-site scripting, cross-site request forgery, and “third party” issues can earn 50,000 miles per bug.
In an interesting twist, United apparently isn’t willing to pay miles in exchange for discovering bugs in onboard Wi-Fi, entertainment systems, or avionics, probably because it doesn’t like the idea of developers poking through code that helps planes actually stay in the air (in the case of avionics). It has also excluded bugs in internal sites (i.e., not customer-facing) from consideration.
Google and other tech firms have long sponsored bug hunters, but they’re usually willing to shell out cold, hard cash in exchange for discovering vulnerabilities. Since 2010, for example, Google has paid out more than $4 million to around 200 security researchers; it also recently instituted “Vulnerability Research Grants,” which pay up-front awards to researchers before they even find a bug. But any developers and researchers interested in racking up airline miles now have a new venue for their skills.