MO:SES - Fotolia
Just two months after offering rewards for reports of security vulnerabilities, United Airlines has awarded a million flier-miles each to two hackers for reporting security flaws in its IT systems.
The US airline has joined Microsoft, Google, Yahoo and others in offering so-called bug bounties to encourage hackers to report vulnerabilities they have discovered before they go public.
Although the nature of discoveries made has to be kept secret, the fact that United paid out the maximum award means the flaws are likely to be remote code execution (RCE) vulnerabilities.
United will pay out 50,000 flier-miles for low-level bugs – such as cross-site request forgery and bugs in third-party software – affecting United, up to 250,000 miles for mid-level bugs such as authentication bypass, personally identifiable information leakage and brute force attacks, and a million miles for RCE vulnerabilties.
Despite the secrecy rules, Florida-based security researcher Jordan Wiens tweeted that the bug he discovered “wasn’t technically challenging” and confirmed it was an RCE vulnerability that “probably wasn't in critical parts of the network”.
Wiens’s Twitter conversations reveal the two top awards are not the only payouts United has made, with Paul MacMillan tweeting that he had picked up a handful of flaws in the “auth bypass/brute force” category and United had “paid out several of the 6 they confirmed”.
According to reports, the top awards are enough for several first-class trips to Asia or up to 20 round-trips in the US with a cash value of more than $20,000.
Read more about bug bounty programmes
- Some think bug bounty programmes are the answers to vulnerability woes, yet others remain sceptical of the negative effects.
- At RSA Conference 2015 Microsoft expanded its bug bounties.
- When it comes to reporting technical vulnerabilities, most security researchers and hackers know that they need to proceed with caution.
- The increasing popularity of bug bounty programmes leaves many wondering if they can improve enterprise software security.
United said the vulnerabilities had been given to the company’s security teams to ensure the airline’s systems are secure.
However, the bug bounty scheme only covers issues that affect the confidentiality, integrity and/or availability of customer or company information, but its aircraft and server systems are off limits.
Bug bounty hunters are not allowed to test aircraft or aircraft systems, including inflight entertainment and Wi-Fi, or conduct vulnerability scans of United servers.
Bounty hunters are also not allowed to attempt brute-force attacks, code injection attacks, denial of service attacks, or compromise customer loyalty accounts.
“Attempting any of the following will result in permanent disqualification from the bug bounty programme and possible criminal and/or legal investigation,” the airline said.
United has excluded various types of vulnerabilities eligible for rewards, including bugs on websites that are not customer-facing and bugs that affect only legacy or unsupported browsers, plugins or operating systems.
Despite the growing popularity of bug bounties, some people in the security industry have expressed reservations about whether they can really improve software security.