
United Airlines bug bounty program - adamnemecek
http://www.united.com/web/en-US/content/Contact/bugbounty.aspx?
======
outericky
Paid in United miles? Not really an incentive there.

~~~
teraflop
Not only that, but: "Award miles offered under this Program are not Premier®
qualifying miles." So you don't even get the free checked bag and priority
check-in that those miles would otherwise entitle you to.

~~~
scurvy
Agreed. They should be award miles that allow for PQM accrual. Or make them
all PQM. That way someone could get gold for life (plus spouse) for a code
execution exploit.

~~~
MichaelGG
Even if you got the PQMs, you'd still need the dollars to get the status. So
it's not that helpful, is it?

~~~
fancyketchup
But the top prize is one million miles, which would get you lifetime status.
Delta and United don't (yet) have spend requirements for lifetime status,
AFAIK.

Conferring lifetime status isn't necessarily even that expensive to the
airline--you only get the benefits after you give the airline your money for
tickets. It also creates an incentives to buy tickets on one particular
airline, even when they might be slightly more expensive (which is the _whole_
purpose of frequent flier CRM programs).

~~~
scurvy
Yep, exactly. If they were 1mil PQM or 1mil BIS you'd hit million miler and
get gold for life. Gold, which only kicks in when you actually fly (like you
pointed out).

------
richadams
"Bugs that are eligible for submission: ... The ability to brute-force
reservations, MileagePlus numbers, PINs or passwords"

"Do not attempt: ... Brute-force attacks"

This seems contradictory. I assume the intent is to not allow DoS attacks
(although they call that out separately further down the list)?

~~~
supercoder
Not exactly.

Seems they're saying they'd accept a bug that can be caused by brute-force,
but do not actually attempt a brute force yourself.

But yeah I'd guess they don't want intentionally invite a bunch of people to
DoS the site.

~~~
bashinator
Another interpretation is that, if you discover something similar to what Weev
discovered, do not do what Weev did.

------
bhuga
"Bugs on onboard Wi-Fi, entertainment systems or avionics" are not eligible
for bounties.

It's very strange to see website timing attacks as worth rewarding, but not
avionics. Perhaps they'd rather not incentivize people to attack airplanes in
flight?

~~~
cortesoft
Yes, I am pretty sure it is a safety thing. That would be very dangerous to
encourage people to try to hack a flight in the air.

~~~
shiggerino
It would be a good idea to provide access to that sort of equipment on the
ground. Bugs that can lead to loss of life should be of much higher priority
than bugs that can merely lead to loss of profit on a web site.

Though the avionics industry would obviously balk at the proposition, those
systems are already spectacularly vulnerable, and they'd hate to lose face.

~~~
danjayh
"...those systems are already spectacularly vulnerable..."

Absolutely untrue, unless you have physical access to them (at which point any
system is vulnerable). In truth, the maintenance port on a 787, for example,
(which is the only place you could feasibly get the kind of access you'd need
to even attempt an exploit) is located in the avionics bay. At the point that
an unauthorized party has gained access to the avionics bay, you've got a much
bigger problem than software exploits.

If you're referring the Chris Roberts' dubious "Planes, Trains, and
Automobiles" grrcon talk ... well, I'm sorry, but claiming that you've "made
friends <giggle>" with an airplane doesn't seem very substantive to me.

Avionics code is some of the most extensively tested code in the world, with
100% statement and decision coverage, 100% requirements test coverage,
extensive robustness testing, and somewhere between a handful and hundreds of
eyes having reviewed every single line (depending on criticality level).
Additionally, design constraints are followed for high criticality software
that simply eliminate many types of attacks - no dynamic allocation,
mathematically provable static stack analysis, etc. etc. etc. (get yourself a
copy of DO-178B and read it if you really want to know all the details). I
would bet a significant amount of money that the defect rate per N lines of
code in avionics software is probably substantially lower than almost all
other commercial software. There's also the fact that on modern aircraft using
Ethernet based networks, message routing and authentication are implemented in
both hardware and software at multiple layers by independent teams, which
greatly reduces the chances of a common fault that allows a successful attack
(even if you _could_ gain physical access to the network).

------
ikonst
Exactly what you'd expect from an airline:

"Bugs or potential Bugs you discover may not at any time be disclosed publicly
or to a third-party. Doing so will disqualify you from receiving award miles."

It's as if it was designed in the same spirit as a frequent flyer program --
really stingy payout, with lots of strings attached. I can't see how this can
incentivise anyone to do free penetration-testing for them.

------
CyberDildonics
Is having rude stewardesses and planes that are never on time bugs? Is
grouping two flights into one flight number to deceive people into buying 3
stop international flights a bug? If so please pay me in minimal airline miles
which I can then use to waste more of my time on the shittiest airline in the
world.

------
thewhizkid
I'm not a hacker - how much should you normally get paid for a low/medium/high
bug? 50k points ~= $1500; 250k points ~= $7500; 1m points ~= $30k.

A lot more if you redeem for int'l biz/first class...

~~~
tfe
3 cents per mile seems like a pretty high valuation to me. I usually use 1.5
cpm. You can do better, as you mentioned, but this is a good EV for me.

~~~
thewhizkid
True.

Another gem in the ToS: "You are responsible for any tax implications that
apply based on your country of residency and citizenship."

I know miles earned from credit cards are _not_ taxed, but I do know for a
fact that Citibank sends out a 1099 for new checking accounts that come with
bonus miles.

If United sends you a 1099 based on the market value of a mile (likely between
2-3 cents each), then you're looking at non-trivial tax implications as well.

~~~
saryant
United doesn't send out 1099s.

------
poulsbohemian
If they actually cared about their site they would go back to the old
united.com, not the crappy one Continental brought with them in the merger.

I would have been a lifeline customer, but Continental ruined it.

~~~
richadams
They're currently beta testing a new (more modern) site:
[https://beta.united.com/ual/en/us/](https://beta.united.com/ual/en/us/)

~~~
lqdc13
I like Virgin's
[https://www.virginamerica.com/](https://www.virginamerica.com/) way more than
even their beta one. I guess they're going for different demographics.

------
emmab
"Code injection on live systems" is not allowed? what does this even mean?

If I put ?param=' and it crashes with an SQL error have I performed code
injection on a live system?

~~~
ludamad
Well in that case they'd presumably have a log and they would see no
suspicious payload.

------
markhall
I think this idea of bounty programs even among non-tech companies will
continue to grow. I recently wrote about this in-depth as a solution to many
of the online security problems: [http://mytwoandahalfcents.com/prevent-
enterprise-security-br...](http://mytwoandahalfcents.com/prevent-enterprise-
security-breach-invert-model/)

------
noondip
Where is their PGP key?

