Bug-Bounty: United Wants You To Hack Their Systems

by Melanie Schmitz

Forget video games and coding challenges, one airline wants to give you access to its deepest, darkest secrets — if you can reach them. This week, United Airlines asked customers to hack into their systems to help expose privacy weaknesses and sniff out problem areas in their apps. Because what could possibly go wrong with that plan?

The new "hacker" program is a legitimate thing, if the reports on the company's own website are real (spoiler: they totally are). Titled "Bug Bounty", the challenge allows independent "researchers" (or evil computer geniuses) to dig up security risks "that affect the confidentiality, integrity and/or availability of customer or company information", wrote the company this week. Hackers who are able to successfully uncover flaws in the system will be rewarded with 1 million frequent flyer miles, which is great for anyone looking to pull a fast one and head out of town quickly.

"At United, we take your safety, security and privacy seriously," wrote the company on its official "Bug Bounty" program page. "We believe that this program will further bolster our security and allow us to continue to provide excellent service."

One caveat: you have to be one of the airline's MileagePlus members in order to qualify for the challenge — or just really good at hacking into MileagePlus websites to make it look like you're a member.

Unfortunately, current United and partner program employees are exempt. So is anyone living in a country on the United States' sanctions list, for sort-of obvious reasons — although, if you're smart enough to hack into an airline's network, you could probably mask the fact that you're currently living in Somalia.

Wired Magazine reported on Thursday that Bug Bounty's payout of frequent flyer miles is relatively uninspiring compared to programs like it. "For comparison, most bug bounty programs offered by companies like Google, Microsoft and Facebook pay researchers cash ranging from $1,500 to more than $200,000, depending on the type and severity of the vulnerability," reported the publication.

The move was meant to be something of a deterrent against major data breaches like the ones that hit Target and Sony last year, reported Fortune this week, citing the massive information dump that exposed the inner workings of the retail and entertainment giants.

There are restrictions, of course — and they're pretty standard: United listed a number of automatic program disqualifications on their website, including "Brute-force attacks", "Code injection on live systems", "Testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi", and "Physical attacks against United employees [or passengers]." You know, the usual.

Sean Gallup/Getty Images News/Getty Images

Despite the unusually cheery tone that the airline has taken in promoting their Bug Bounty challenge, this isn't the first time that someone has voiced concern over United's systems. In April, noted cybersecurity specialist Chris Roberts of One World Labs, a Boulder, Colorado-based security intelligence firm, caught the eye of government officials when, on his flight to Syracuse, New York, he joked openly on Twitter about vulnerabilities in the plane's many intricate communications and avionics systems.

"Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ?" Roberts tweeted. His jokes, to anyone in the know, were an obvious play on an April report out of the Government Accountability Office, which had specified potential weak spots in airline WiFi through which hackers could gain access to critical systems. After all, Roberts had done the research himself, years earlier, to no public or governmental avail. But that didn't stop the FBI from meeting him at the gates in New York and seizing all his electronics.

"I was probably a little more blunt than I should have been," joked Roberts later, in an interview with CNN Money, indicating that he had been barred from United travel but given a full refund of his ticket costs later. On Wednesday this week, Roberts sounded off on the airline's new challenge as well.

"So... when we come and TELL you about issues you ignore them, but now this?" Tweeted Roberts. Bustle has reached out to United's Bug Bounty program for comment and is awaiting response.

According to the Wired report that followed, this sort of stand-offish behavior wasn't new. Bug-hunters, they claimed, often publish their findings publicly and submit directly to the companies they've exposed in the hopes that those same companies will pay attention to the imbalanced security of their most important systems and to avoid potential legal ramifications.

"Many reasearchers [have found that] going directly to the public made the embarrassed vendor (or airline in this case) more likely to fix the hole and leave the researcher alone," reported the magazine.

Whatever bugs riddle the flawed United systems will be dug up sooner or later — likely to the relief of the experts, like Roberts, who have been fiddling with their options for years. At the very least, it should provide some lighthearted entertainment for the whiz-kids out there looking to score a few cool points with their peers for their obvious tech-savvy.

Shall we play a game?

Images: Getty Images (1)