Security researchers who locate bugs and vulnerabilities in United Airlines’ software will be given free air miles, effectively allowing them to fly for free, ZDNet reports.
Like many tech companies, United offers a bug bounty program that provides researchers with rewards for finding issues in critical software. It’s a way to ensure the integrity of its systems — as ever-greater cybersecurity threats emerge, it can become more and more difficult to maintain secure software.
Incentivising bug-finding means that independent security researchers can turn up flaws that might otherwise go unnoticed by the company’s in-house software developers.
Depending on the severity of the bug discovered, rewards can vary from less than 50,000 air miles up to 1 million. Example of eligible bugs include the ability to brute-force passwords, bypassing authentication, finding bugs on customer-facing sites, and remote code execution.
But United also rules out rewards for testing for other potential flaws, warning that researchers who attempt to will be permanently disqualified from the program, “and possible criminal and/or legal investigation.” These include denial-of-service attacks, compromising accounts that are not your own, “any testing on aircraft or aircraft systems,” and threats, attempted coercion or physical attacks on United employees.
The news of the bug bounty program is likely part of an effort by United Airlines to appear more “security-friendly.” The airline has recently faced a slew of negative publicity in the cybersecurity community after refusing to allow researcher Chris Roberts on one of its planes after he joked on social media he could get make the oxygen masks deploy mid-flight.
Roberts had previously been outspoken about potential vulnerabilities in airlines’ on-board software, according to the Guardian. “Given Mr Roberts’ claims regarding manipulating aircraft systems, we’ve decided it’s in the best interest of our customers and crew members that he not be allowed to fly United,” said a spokesperson for the company.
Other companies offer more prosaic prizes to researchers who find vulnerabilities — typically cash. In February 2015, Facebook paid Laxman Muthiyah $US12,500 (£8,000) for uncovering a bug that allowed him to delete any person’s public photos on the social network without their permission.
Google has even begun offering researchers grants to encourage them — paying them before they have actually found anything.