United Airlines Bug Bounty Program - Up to 1,000,000 points

Reply Subscribe

Thread Tools

Search this Thread

May 14, 2015, 6:01 pm

sedubby

Original Poster

Join Date: Jun 2014

Posts: 290

United Airlines Bug Bounty Program - Up to 1,000,000 points

http://www.united.com/web/en-US/cont...ugbounty.aspx?

Pretty interesting. I'm sure there are plenty of bugs to be found

May 14, 2015, 6:06 pm

PsiFighter37

Join Date: Mar 2015

Location: NYC (Primarily EWR)

Programs: UA 1K / *G, Marriott Bonvoy Gold; Avis PC

Posts: 9,005

Quote:

Originally Posted by sedubby

http://www.united.com/web/en-US/cont...ugbounty.aspx?

Pretty interesting. I'm sure there are plenty of bugs to be found

Is lack of R availability a valid submission?

May 14, 2015, 6:17 pm

love_to_travel

Join Date: Jul 2004

Location: HNL

Programs: United Gold

Posts: 1,581

What a great idea, has any other airline done something similar?

May 14, 2015, 6:30 pm

steveman518

Join Date: Mar 2014

Location: EWR

Posts: 2,112

I like how bugs on the non-customer facing internal sites aren't eligible-I guess there's no incentive to make the system better for agents...

May 14, 2015, 6:31 pm

RichardInSF

Moderator: Luxury Hotels and FlyerTalk Evangelist

Join Date: Sep 2002

Location: Palo Alto, California,USA

Posts: 17,856

I'm not so sure it's a great idea given the award is in miles. I'm not a lawyer or accountant, but I am willing to bet that for US citizens or residents, the IRS would view this as earned income. That means that your bounty would be in miles -- but you'd have to pay taxes on that bounty, including social security and medicare, in cash.

Not very inviting!

May 14, 2015, 6:34 pm

mduell

FlyerTalk Evangelist

Join Date: May 2007

Location: Houston

Programs: UA Plat, Marriott Gold

Posts: 12,693

A good idea, since their website has access to so much.

Program doesn't include the display of incorrect information... there goes so many bugs.

Last edited by mduell; May 14, 2015 at 6:43 pm

May 14, 2015, 6:39 pm

unavaca

Join Date: Jun 2007

Location: YVR SFO

Programs: UA G

Posts: 4,866

Huge props to UA for setting this up (though it's a shame they didn't use HackerOne to manage it). In the past, reporting vulnerabilities involved "knowing a guy" to email and hope that your malicious URL didn't get nabbed by the spam filter.

^

May 14, 2015, 6:43 pm

sedubby

Original Poster

Join Date: Jun 2014

Posts: 290

I'd pay a Chinese hacker $1000 to find a "medium" bug

May 14, 2015, 7:13 pm

cruisr

Join Date: Dec 2004

Programs: UA-1K, MM, Hilton-Diamond, Marriott-Titanium

Posts: 4,432

Quote:

Originally Posted by sedubby

http://www.united.com/web/en-US/cont...ugbounty.aspx?

Pretty interesting. I'm sure there are plenty of bugs to be found

How the heck did you even fnd this? Did you go looking for this or was there an email blast I missed? I guess it's one way of UA to cut back on IT employee salaries. just have their customers find the issues and throw them some miles,

May 14, 2015, 7:15 pm

#10

gobluetwo

Join Date: Jun 2007

Location: gggrrrovvveee (ORD)

Programs: UA Pt, Marriott Ti, Hertz PC

Posts: 6,091

Quote:

Originally Posted by love_to_travel

What a great idea, has any other airline done something similar?

If you believe what they say on the site, this program is "the first of its kind within the airline industry."

May 14, 2015, 7:20 pm

#11

LarkSFO

Join Date: Sep 2010

Location: San Francisco Bay Area

Posts: 5,825

I hereby propose that we rename this program, giving credit to the flyertalker who assiduously complains their way through seemingly every interaction they make with United's clunky, old, and error ridden systems...

From this point forward, we will refer to this United program as:

"The Channa Challenge"

May 14, 2015, 7:36 pm

#12

sedubby

Original Poster

Join Date: Jun 2014

Posts: 290

I'm in the Bay Area and work in tech. Not a hacker myself, but was sent a link to this earlier today.

This isn't exactly a program the masses need to know about, so not something they'd casually blast to their entire customer base. It's designed for hackers/white hats....many of whom I've heard argue that this is far too low in terms of compensation for the work of a skilled security consultant!

May 14, 2015, 8:11 pm

#13

sincx

Join Date: Sep 2008

Posts: 812

Quote:

Originally Posted by sedubby

But I bet it's more than enough for a college kid from New Jersey going to Stanford.

May 14, 2015, 8:17 pm

#14

entropy

FlyerTalk Evangelist

Join Date: Feb 2002

Location: San Francisco/Tel Aviv/YYZ

Programs: CO 1K-MM

Posts: 10,762

The awards are quite small, and unless they want to build a duplicate site to attack, the terms and conditions make it quite impossible to experiment.