United Airlines pays bug bounty with one million air miles

United Airlines has made good on its promise to pay out in free miles under its new Bug Bounty scheme, with Florida-based vulnerability researcher Jordan Wiens revealing he was one of the first to be rewarded.

Wiens has been given one million free air miles, the airline's biggest reward, after he found a remote code execution (RCE) bug on the company's systems.

United Airlines announced the bug bounty programme in May, which is said to be the first for the airline industry. Normally, such schemes reward researchers in cash but United Airlines has chosen to payout in air miles.

United's rewards range from 50,000 air miles for low-level flaws, like cross-site request forgery and bugs in third-party software, to 250,000 miles for mid-level bugs, like personal information leakage, brute force attacks and authentication bypass. Should a researcher find a RCE bug, as Wiens did, they could be awarded up to one million miles.

However, bugs found on-board the aircraft, like in the avionics and the in-flight Wi-Fi, are not eligible for the programme. It also prohibits researchers disclosing bugs publicly or to any third parties.

Wiens announced his reward on Twitter, and he seemed surprised that United paid out the top reward for his bug submissions, which he said weren't technically challenging.

"Wow! @United really paid out! Got a million miles for my bug bounty submissions! Very cool." He added a screenshot showing that the reward was paid out, in two lumps, on July 10. One reward was for 999,999 miles and the other was for one mile. 

He submitted to the airline on May 15, United responded on May 19 and the vulnerability was accepted as valid on June 24.

RCE vulnerabilities could allow an unauthenticated attacker to remotely inject code into a program and get it to run. That means someone on the outside could run a program on your server or desktop computer without having to log in.

Wiens told a local TV station that he planned to use the miles for coach-class trips for his family, including at least one trip to Hawaii with his wife.