In the world of digital security, bug hunting is the practice of finding holes in a corporation’s security and selling it back so the problem can be quietly fixed. Companies such as Microsoft know that it’s far cheaper to pay researchers up to $100,000 up-front, rather than facing a massive public security breach shortly afterward. United Airlines has just started one of its own bug hunting programs, but the airline treats security experts much like it does its disgruntled passengers. Rather than just pay fees out in cold, hard, useful cash, the Joffrey Baratheon of airlines has decided to offer united air miles as a bounty.
The announcement comes just a few weeks after both the FBI and TSA asked airlines to start looking for theoretical hacks to their in-flight WiFi. It was prompted after security researcher Chris Roberts joked on Twitter that, on a United flight to Syracuse, he was able to access the airplane’s oxygen mask controls. Naturally, he was met by FBI agents as soon as the plane touched down, and was promptly banned from flying with the airline.
As Wired points out, United have clearly missed the point with its bug hunting program, since it discourages people from looking for in-flight vulnerabilities. The rules also seem to discourage people from looking for issues that could hijack a plane, something that Hugo Teso claimed he could do at least two years ago. Instead, hackers are asked to poke holes in United’s terrestrial operations, including its online authentication, mobile apps and remote code executions.
If, however, you’re able to find and prove a remote code execution, you could receive a maximum payout of one million miles for your trouble. Although, knowing United as we do, there’ll probably be some subclause that means you can only use your reward every third Sunday, and then only on the now-axed Newark to Columbia route.