Chicago-based United Airlines, the world’s largest in terms of number of destinations served, has today launched the first rewards-for-exploits scheme in the aviation industry. United’s ‘Bug Bounty Program’ will reward with air-miles individuals who report security vulnerabilities in the company’s range of websites, its app, and in third party programs that it uses.
The maximum payout possible under the scheme is proof of a vulnerability leading to remote code execution, which will net the submitter one million air miles. 250,000 air miles are on offer for evidence of exploits such as an authentication bypass, brute force attacks, timing attacks and flaws which could lead to the disclosure of personally identifiable information (PII). Successful submissions regarding cross-site scripting and cross-site request forgeries are worth 50,000 air miles.
Investigation of actual on-board systems, including in-flight entertainment systems, is banned from the scheme, and United promises additionally to subject anyone who attempts such probing to criminal prosecution.
Any bounty will go to the first submitter of a particular vulnerability. The submitter must not be a resident of a country in a United States sanction list, the author of the vulnerable code, an employee of the company or of related companies – and must also be a member of United’s MileagePlus program in order to participate.
The scope of the bug-hunt excludes non-customer-facing applications, legacy browsers and plugins and insecure cookie settings.
Along with the ban on hacking on-board flight systems, the Bug-Bounty scheme prohibits the use of code-injection on live systems, brute-force attacks, scanning of United’s servers, DDoS attacks, and physical attacks or threats against the company’s employees.
The scheme seems to be a response to a spate of speculation about the possibility of hacking airplanes in the last month or so, as well as the incident where security researcher Chris Roberts was prevented from boarding a United plane to California after boasting on Twitter that he could get the plane’s oxygen masks to deploy.