United Airlines Wants You To Find Security Flaws And Earn Flyer Miles
Being in the business of knowing and writing about technology, I know why companies like Microsoft and Facebook pay hackers if they are able to find a security flaw or bug in their systems or network software. However, a similar initiative was started by United Airlines recently and I have to say they have completely missed the mark.
United Airlines, one of the popular airlines around, has started a Bug Bounty Program that asked hackers to find security flaws in their website, app, online authentications and similar areas.
Here is the full list of bugs eligible for submission:
- Authentication bypass
- Bugs on customer-facing websites such as:
- Bugs on the United app
- Bugs in third-party programs loaded by united.com or its other online properties
- Cross-site request forgery
- Cross-site scripting (XSS)
- Potential for information disclosure
- Remote code execution
- Timing attacks that prove the existence of a private repository, user or reservation
- The ability to brute-force reservations, MileagePlus numbers, PINs or passwords
What you may find hilarious is the list of issues hackers are not allowed to report:
- Brute-force attacks
- Code injection on live systems
- Disruption or denial-of-service attacks
- The compromise or testing of MileagePlus accounts that are not your own
- Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
- Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
- Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
- Vulnerability scans or automated scans on United servers
Now my question is, what are they thinking? They want hackers to find flaws in a website rather than report issues that could lead to a DDoS attack and those that could lead to hijacking.
On top of that, hackers are being paid with air miles rather than hard cash. Unbelievable!