United Airlines has already made good on its promise to pay security researchers in air miles for vulnerabilities found in its web properties. It has just awarded the maximum payout for a Remote Code Execution.

United Airlines announced its bug bounty program in May and hasn't disclosed anything more about it since then. However Jordan Wiens was so thrilled by his payout - one of 999,999 points and another of 1 to bring the total to 1 million, that he tweeted about it:

One of the first question he was asked on Twitter was what type of bug had he submitted. Realizing that the bounty program's t&cs mean he must not disclose information he referred back to the United Airline site:

This raised a more interesting question relating to the fact that the rules profit researchers from taking any action that could compromise the airline's operation:

if you can't perform a code injection on live systems, how do you test?

To which Wiens replied:

I just sent a report saying "this is probably RCE, I just can't test" can't give more detail than that.

In another tweet he disclosed:

The RCE probably wasn't in critical parts of the network. I actually expected less miles since it didn't seem as important.

Another security researcher, who had already been paid for bugs falling into the Medium category asked Wiens when he had submitted, an important question given that only the first person to submit a bug will be rewarded. The answer was that it was timestamped:

 Fri, May 15, 2015 at 2:08 PM

which was within a matter of hours from the launch of the program! 

Jordan Wiens is now planing a vacation to Hawaii but, as we explained when the program was announced, if you don't want to become a frequent flyer there are other goods and services that the reward points can be exchanged for.  

Even so one million airmiles is a lot of miles...

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info