Despite the scepticism that surrounds bug bounty programmes, United Airlines in the US has joined the growing number of firms offering rewards for reports of security vulnerabilities.
But instead of the usual cash rewards, United Airlines is offering up to a million air miles that can be used only by members of its customer loyalty scheme, and there are strict limits on areas of research.
United is seeking help with issues that affect the confidentiality, integrity and/or availability of customer or company information, but its aircraft and server systems are off limits.
Bug bounty hunters are not allowed to test aircraft or aircraft systems, including inflight entertainment and Wi-Fi, or conduct vulnerability scans of United servers.
“Hopefully United’s position is not that it would not consider such vulnerabilities as being serious, but rather they are loath to having researchers attempting to find flaws in a plane that’s flying at 30,000ft,” wrote Graham Cluley, an independent security consultant, in a blog post.
Bounty hunters are also not allowed to attempt brute-force attacks, code injection attacks, denial of service attacks, or compromise customer loyalty accounts.
Read more about bug bounty programmes
- Some think bug bounty programmes are the answers to vulnerability woes, yet others remain sceptical of the negative effects.
- At RSA Conference 2015 Microsoft expanded its bug bounties.
- When it comes to reporting technical vulnerabilities, most security researchers and hackers know that they need to proceed with caution.
- The increasing popularity of bug bounty programmes leaves many wondering if they can improve enterprise software security.
“Attempting any of the following will result in permanent disqualification from the bug bounty programme and possible criminal and/or legal investigation,” the airline warned.
United has also excluded various types of vulnerability eligible for rewards, including bugs on websites that are not customer-facing and bugs that affect only legacy or unsupported browsers, plugins or operating systems.
The focus of the bug bounty programme appears to be customer-facing websites and related bugs that could allow authentication bypass, cross-site scripting, data leakage and remote code execution.
To ensure the bug bounty programme is unlikely to be inundated with submissions, only researchers who are MileagePlus members in good standing are eligible and they must live in a country that is not on a US sanctions list.
Albeit limited and with a top reward reported as a cash equivalent of only $20,000, United’s bug bounty programme at least demonstrates an understanding of the importance of keeping customer data safe.
According to Europol’s European Cybercrime Centre (EC3) in The Hague, the airline industry was hit by losses of $1bn in 2014 caused by fraudulent online ticket booking. Millions of victims were affected through the misuse of their credit card data.
In November 2014, EC3 co-ordinated an international operation by enforcement agencies that resulted in 118 arrests, including around 40 in the UK, in connection with online fraud involving the airline and travel industries.
The operation targeted criminals suspected of fraudulently purchasing flight tickets online using stolen or fake credit card data.
United claims its bug bounty programme is the first of its kind in the airline industry, and considering the vast amount of customer data airlines hold, other airlines that take the threat of data breach just as seriously may soon follow United’s example.
However, with personal data commanding high prices on the underground market, other airlines should perhaps consider a cash reward rather than air miles, or at least a combination of the two.