United Airlines To Reward Hackers For Finding Bugs In Its Websites And Not Planes
United Airlines claims to have become the first airline to offer free frequent flier miles to reward professional hackers who can crack the airline’s mobile apps and various websites, as part of a bug bounty program. Barely after a month, it banned security researcher, Chris Roberts for tweeting regarding bugs in airplane Wi-Fi or entertainment systems, it is not going to let anyone fiddle with the systems inside its aircraft again.
The programme is only available to those who report faults in its mobile applications and websites. United has specifically forbidden the reporting of bugs affecting ”onboard Wi-Fi, entertainment systems or avionics”. Those carrying out the testing of these systems would be immediately barred from the programme and could face “possible criminal and/or legal investigation”. United Airlines has also forbidden vulnerability scans or automated scans on United servers.
United Airlines with this new hacker initiative joins an increasing number of tech companies including Google, Facebook, and Microsoft that welcome friendly hackers. By rewarding members of the public, these companies believe that they can lessen the amount of data breaches who succeed in finding security holes in their technology that might have missed the eyes of their in-house staff.
The United programme has three rankings of bug: First, one that covers a fault which allows a remote hacker to execute code on a United property is ranked as high, that results in a pay out of as many as 1,000,000 miles. Second, a medium severity fault, that includes a login bypass or access to identify customers information, comes with a reward of up to 250,000 miles. Third, small fry susceptibilities could win a hacker 50,000 miles.
Chris Roberts, researcher who works for the security intelligence firm One World Labs, was removed from a United flight for tweeting about potential problems in an aircraft’s communications systems while on the in-flight Wi-Fi. He was subsequently questioned by the FBI authorities who then seized his computer gear and left him to arrange a flight on another airline.
Roberts said the bug bounty as long as is not used against him in the court should be a positive thing. Though he hasn’t been charged yet, he is still awaiting on his confiscated computer gear. He told FORBES he feared the bug bounty scheme could be used to show he was clearly banned from discussing possible weaknesses in plane electronics in public.
Further, in an interview with Fortune last month Roberts confessed that the joke was maybe a bit too harsh. However, he stood by his belief that the airline industry needs to be more serious regarding security concerns than it currently does.
Roberts, however, does not seem pleased with United Airlines’ new security initiative going by his recent tweet. But the United Airlines does point out it is taking steps to do something positive, even if it isn’t willing to express gratitude to those finding problems in its most critical systems. “We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service,” United said. Like all airlines, United stores a large amount of personal information on its public websites that hackers would love to get their hands on.
