Originally Posted by
pstation
I wouldn't hold my breath waiting for United to change anything. From my personal experience of reporting vulnerabilities to their bug bounty program it took nearly a year for them to pay me and about 2 years for them to fix a simple vulnerabilities that exposed confidential mileageplus customer information...
In my experience of multiple such information disclosure vulnerabilities, the only way to get United to take action is to openly go public about it. I got an issue that had been around for years fixed within 24 hours by doing that,
as described here.
That said, this thread alone is now a month old, so maybe even that isn't enough...
Unfortunately United has got one of the
worst bug bounty programs in existence (both in terms of how it's managed as well as the actual "bounties" which in many cases can actually cost you money rather than rewarding you).