Jordan Weins has become the first researcher to claim a huge miles bounty form United Airlines in return for reporting a remote-code execution error in their site.
Back in May United Airlines began offering mile rewards for reporting bugs in their online systems. The move was largely a response to criticism the airline faced after it booted a programs researcher off one of its flights. The boot was a punishment they saw fit when the researcher tweet about an exploit he found in the flights onboard systems. The mile rewards is offered in tiers depending on the severity of the issue found and of course reported.
United said it will reward the finding of “basic third-party issues affecting its systems with 50,000 miles, exploits that could jeopardize the confidentiality of customer information get 250,000 miles, and major flaws related to remote-code execution earn a maximum of 1,000,000 miles.” Other companies have also been known to offer bounties in an attempt to dissuade savvy programmers from taking advantage of flaws and instead turn them in for cash. The list includes heavy-weight tech names like Google, Facebook, and Yahoo!.
It was the first time that Weins had ever submitted to a bug bounty program, and he had no intention of receiving the grand prize. “There were actually two bugs that I submitted that I were pretty sure were remote code execution, but I also thought they were lame and wasn’t sure if they were on parts of the infrastructure that qualified,” Wiens told the ThreatPost security blog. “My expectation was that they counted, but I figured they’d award me 50,000 miles or something smaller.” One can imagine his surprise when United Airlines contacted Weins and told him to check his account, wherein he found many a vacation waiting for him.
While the gesture is certainly good for United publicity, it may also serve as bait for future researchers to submit, hoping to get the grand prize. Best of luck to all the hackers out there.