Connect with us

Hi, what are you looking for?



United Airlines Offers Air Miles in New Bug Bounty Program

United Airlines has announced the launch of a bug bounty program, offering independent researchers who identify security holes in the company’s online services the chance to earn air miles.

United Airlines has announced the launch of a bug bounty program, offering independent researchers who identify security holes in the company’s online services the chance to earn air miles.

The list of vulnerabilities eligible for a reward includes authentication bypass, information disclosure, cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution, timing attacks exposing the existence of a user, reservation or repository, and the ability to conduct brute-force attacks on PINs, passwords, MileagePlus numbers, and reservations.

Researchers can target websites such as, and; the United app; and third-party applications loaded by or other online properties.

The company has highlighted that security holes in partner or third-party websites or apps, bugs in internal United sites, and flaws in the on-board Wi-Fi, entertainment and avionics systems are not in scope.

United Airlines strictly prohibits brute-force attacks, code injection on live systems, testing on inflight entertainment, Wi-Fi and other aircraft systems, denial-of-service (DoS) attacks, compromising other users’ MileagePlus accounts, and automated scans on the company’s servers.

“At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service,” the company said.

While United is not offering any monetary rewards, researchers can earn a lot of award miles if they report serious vulnerabilities. For example, low severity bugs such as XSS and CSRF are rewarded with up to 50,000 award miles, while high severity issues such as remote code execution can earn bounty hunters up to 1 million award miles. The company noted that researchers can only get the rewards if they are members or if they join the MileagePlus loyalty program.

Advertisement. Scroll to continue reading.

“Bug bounty programs have been surprisingly effective and I don’t see this being any different for United. I think they’re smart to start with their public facing web applications as they learn how to handle the influx of security bug reports. As they mature, they may eventually decide to extend the program to airplane wifi and more critical systems, but I wouldn’t expect it to happen very soon. Letting people play around with frequent flier miles is one thing, letting them attack a flying airplane is a whole different matter,” Jeff Williams, CTO of Contrast Security, told SecurityWeek.

“These bug-bounty programs are getting real value, but there are costs too. There are many reported flaws that are not actually vulnerabilities. It takes work to track these down and deal with them,” Williams added. “Most of these programs are run by organizations with a small number of very critical applications. It may be difficult for a large airline, with hundreds or thousands of applications, to manage such a program. On the other hand, they are already getting pentested by the Internet. With a bug bounty program, at least they get the report.”

The launch of United Airlines’ bug bounty program comes shortly after the Government Accountability Office (GAO) published reports on the cyber security of air traffic control systems, and the risks posed by Internet connectivity to sensitive aircraft systems.

Last month, a security researcher was questioned by the FBI and banned from boarding a plane after he joked on Twitter about hacking the communication and EICAS systems of the Boeing 737-800 he was on.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.