United Offering up to 1 Million Miles for Reporting Security Bugs

May 14, 2015

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Update: Some offers mentioned below are no longer available. View the current offers here – United MileagePlus Explorer Card

If you’re a hacker who’s been making a long list of United’s website bugs, there’s never been an easier way to earn (up to) a million miles. United is offering a bounty of miles to customers who discover potential bugs on its website and apps. While incentivizing users to improve security is nothing new in the tech world, United is the first airline to adopt such a program.

In true airline fashion, there are multiple “redemption levels,” depending on the type of security hole you find. If you don’t recognize any of the vulnerability categories below, your best bet is probably to sign up for a credit card instead, such as the United MileagePlus Explorer Card, which is currently offering 50,000 bonus miles after you spend $3,000 in the first three months. IT pros might be more interested in these options:

Low (50,000 miles)

  • Cross-site scripting
  • Cross-site request forgery
  • Third-party issues that affect United

Medium (250,000 miles)

  • Authentication bypass
  • Brute-force attacks
  • Potential for personally identifiable information (PII) disclosure
  • Timing attacks

High (1,000,000 miles)

  • Remote code execution

United bug bounty program Lest you thought this was an opportunity to try a DDOS attack in the name of quality control, United has a list of methods that are strictly forbidden (and very illegal). You can find the rest of the specifics on the bug bounty program, including where to send your discoveries, when you visit the program page here. And do let us know if your sleuthing leads to a mileage jackpot!

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.