United Airlines Bug Bounty Program: Report Security Flaw, Get Rewards

If you are a hacker or an IT security researcher, United Airlines has announced its first ever Bug Bounty program for you guys.

Yes, United Airlines is the first airline in the world to start a bug bounty program and pay rewards to those who will find security flaw/bugs on its apps, online portals, and websites.

The announcement came weeks after Chris Roberts (World Labs’ IT security expert) was kicked off by United Airlines from their flight after discovering security flaws in airplane in-flight entertainment systems.

One strange aspect of the bug bounty program is that it doesn’t ask security researchers to find life-threatening vulnerabilities such as the security flaws in airplane in-flight entertainment systems previously discovered by Chris Roberts.

United specifically asks researchers to stick to the rules and only use their expertise to find flaws in United’s apps, portals and sites. In fact, the ‘onboard Wi-Fi, entertainment systems or avionics’ category has been added in the list of Bugs that are not eligible for submission. So you are not allowed to find the security flaw in aircraft’s onboard Wi-Fi, entertainment or avionics system.

After adding the most crucial security flaw in the list of “not eligible for submission.” United Airlines said on its Bug Bounty Page that:

“At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure.”

Referring to Robert’s finding United wrote on its website that: 

“A bug bounty program permits independent researchers to discover and report issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.”

Christ Roberts had publicly Tweeted the security flaw he’d discovered in United Airlines onboard Wi-Fi and entertainment systems.

https://twitter.com/Sidragon1/status/598697864437501953
Man Who Revealed Plane Can Be Hacked Offloaded For The Second Time

Here is a list of bugs that are eligible for submission: 

• Authentication bypass
• Bugs on customer-facing websites such as:
  • united.com
  • beta.united.com
  • mobile.united.com
• Bugs on the United app
• Bugs in third-party programs loaded by united.com or its other online properties
• Cross-site request forgery
• Cross-site scripting (XSS)
• Potential for information disclosure
• Remote code execution
• Timing attacks that prove the existence of a private repository, user or reservation
• The ability to brute-force reservations, MileagePlus numbers, PINs or passwords

Here is a list of bugs that are not eligible for submission: 

• Bugs that only affect legacy or unsupported browsers, plugins or operating systems
• Bugs on internal sites for United employees or agents (not customer-facing)
• Bugs on partner or third-party websites or apps
• Bugs on onboard Wi-Fi, entertainment systems or avionics
• Insecure cookie settings for non-sensitive cookies
• Previously submitted bugs
• Self-cross-site scripting

What are the rewards for founding and reporting a security flaw?

Well, you won’t be paid anything, jack squat.. nada! But airline will reward you in shape of mileage points. 

Maximum payout in award miles for Remote code execution = 1,000,000

Maximum payout in award miles for Authentication bypass, Potential for personally, Brute-force attacks identifiable information (PII) disclosure and Timing attacks = 250,000

Maximum payout in award miles for Cross-site scripting, Cross-site request forgery, Third-party issues that affect United = 50,000

It sucks that United Airlines won’t pay in shape of money when companies like Google, PayPal, Yahoo, Facebook and Microsoft pay hundreds and thousands of dollars to security researchers who report critical flaws. 

Recent security flaws in modern aircraft:

Christ Roberts from World Labs was the first researcher to expose critical flaw in United’s on-plane Wireless systems which allowed hackers to remotely takeover modern aircraft. It is unclear if the airline has fixed the flaw or not. 

The US Accountability Office (GAO) was the first government body to issue an advisory on discoveries made by Roberts.

On May, 4th 2015, United States Federal Aviation Administration/FAA revealed Boeing’s 787 Dreamliner has a security glitch which can abruptly shut-off all electrical power of the plane during mid-air causing the flyers to lose control of the flight.

So are you signing up for United Airlines bug bounty program?