United Airlines has just launched a Bug Bounty program, inviting skilled hackers and security experts to point out any bugs and flaws that the company might have in their sites, apps, or online portals. It’s the first ever Bug Bounty to be launched by an airline.
The reward is an atypical one that will either prove to be very appealing to the target, or very unappealing. Instead of offering fame or fortune like Facebook, Google, Yahoo and Microsoft, the company will be rewarding programmers with a million united air miles.
What this means is that winners will be awarded up to one million miles worth of flying, but they will only be able to use them within the United Airlines chain. The worse the bug is, the more miles you win.
The company’s statement read: “At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure”.
United Airlines wants to pay you to hack them, but the context of the contest is an interesting one.
On one hand, it is being strategically launched mere weeks after the company kicked a security researcher (Chris Roberts) off of one of its flights for using Tweeter to divulge vulnerabilities in the Wi-Fi and entertainment systems in some of United’s planes made by Boeing and Airbus.
On the other hand, the announcement comes just weeks after the FBI and the TSA asked airlines to look for theoretical hacks in their in-flight WiFi due to said tweet by mister Roberts, who used social media to tell the world that he can access the airplane’s oxygen mask controls. As expected, he was met by FBI agents as soon as the plane landed and banned from flying with the airline.
As far the contest goes, United’s rules clearly specify not to look for bugs in its onboard WiFi, entertainment systems or avionics systems. They do not want experts testing their planes while moving from point A to point B.
Though some believe this is a poor choice that undermines the point of any bug finding effort and misses the point of the FBI, the brand may have actually spent some time thinking the event through.
Finding bugs, flaws and weakness in a system typically involves attacking it until it inevitably breaks. If this were to happen on a live flight it could lead to an unpleasant, unwanted and tragic crash. Even in the happy scenario where the plane wouldn’t crash, the event would act as a very serious scare for most passengers sharing the flight, lead to bad word of mouth and loss of customers.
United Airlines stresses the seriousness of the issue by informing that if you are caught ignoring their wishes, you will be tossed off the flight, and more than likely find yourself under criminal investigation.
Participants are also not allowed to use brute-force attacks, code injection attacks, denial of service attacks, or compromise customer loyalty accounts.
United seems to be focusing the competition on testing customer-facing websites and finding bugs that could allow authentication bypass, cross-site scripting, data leakage and remote code execution.
Jason Steer, chief security strategist from FireEye, thinks that the company’s Bug Bounty program is a smart move. He gave a statement saying that crowdsource testing for security weaknesses can be hugely valuable to an organization.
Anyone willing to participate must be a member of the airlines’ MileagePlus program first. More details can be found on United Airlines’ website.
Image Source: flyflytravel.com