United Airlines has announced the launch of a bug bounty program, offering independent researchers who identify security holes in the company’s online services the chance to earn air miles.
The list of vulnerabilities eligible for a reward includes authentication bypass, information disclosure, cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution, timing attacks exposing the existence of a user, reservation or repository, and the ability to conduct brute-force attacks on PINs, passwords, MileagePlus numbers, and reservations.
Researchers can target websites such as united.com, beta.united.com and mobile.united.com; the United app; and third-party applications loaded by united.com or other online properties.
The company has highlighted that security holes in partner or third-party websites or apps, bugs in internal United sites, and flaws in the on-board Wi-Fi, entertainment and avionics systems are not in scope.
United Airlines strictly prohibits brute-force attacks, code injection on live systems, testing on inflight entertainment, Wi-Fi and other aircraft systems, denial-of-service (DoS) attacks, compromising other users’ MileagePlus accounts, and automated scans on the company’s servers.
“At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service,” the company said.
While United is not offering any monetary rewards, researchers can earn a lot of award miles if they report serious vulnerabilities. For example, low severity bugs such as XSS and CSRF are rewarded with up to 50,000 award miles, while high severity issues such as remote code execution can earn bounty hunters up to 1 million award miles. The company noted that researchers can only get the rewards if they are members or if they join the MileagePlus loyalty program.
“Bug bounty programs have been surprisingly effective and I don’t see this being any different for United. I think they’re smart to start with their public facing web applications as they learn how to handle the influx of security bug reports. As they mature, they may eventually decide to extend the program to airplane wifi and more critical systems, but I wouldn’t expect it to happen very soon. Letting people play around with frequent flier miles is one thing, letting them attack a flying airplane is a whole different matter,” Jeff Williams, CTO of Contrast Security, told SecurityWeek.
“These bug-bounty programs are getting real value, but there are costs too. There are many reported flaws that are not actually vulnerabilities. It takes work to track these down and deal with them,” Williams added. “Most of these programs are run by organizations with a small number of very critical applications. It may be difficult for a large airline, with hundreds or thousands of applications, to manage such a program. On the other hand, they are already getting pentested by the Internet. With a bug bounty program, at least they get the report.”
The launch of United Airlines’ bug bounty program comes shortly after the Government Accountability Office (GAO) published reports on the cyber security of air traffic control systems, and the risks posed by Internet connectivity to sensitive aircraft systems.
Last month, a security researcher was questioned by the FBI and banned from boarding a plane after he joked on Twitter about hacking the communication and EICAS systems of the Boeing 737-800 he was on.
