If we were to tell you that today hackers are walking around with a few million frequent flyer miles care of United Airlines, your first thought might be that they had been the victims of a data breach at the hand of cybercriminals.
And though these days that is a depressing safe assumption, in this case, it would be wrong. Those hackers have those miles because they likely prevented a cyberattack by discovering flaws in United’s Web security system and reporting them before a criminal could find them.
It’s called a bug bounty, and it is a clever way to set white-hat security researchers against black-hat cybercriminals. And though popular across industries — most of the major tech players have them, usually associated with a cash reward — they are almost unheard of in the airline industry until now.
Four of United’s competitors were contacted by Reuters to see if they were looking into a similar program. Three declined to comment on bug bounty programs; the fourth was not available.
United launched its bug bounty in May.
“We believe that this program will further bolster our security and allow us to continue to provide excellent service,” United said on its website.
Recently, United has had its share of trouble with tech. The airline found itself locked out of its reservations system, preventing customers from checking in and leaving the company unable to dispatch its flight plan since the software that handles it was (in technical language) “zapped.”
The “hacker” who collected the first bug bounty was Jordan Wiens. The cyber vulnerability researcher tweeted that he had found a bug that could have theoretically allowed hackers to take over United’s websites.
“It’s really interesting that United did what they did,” he said in an interview. “There actually aren’t that many companies in any industry outside of technology that do bug bounties.”
The terms of the agreement with United prevent Wiens from disclosing much of the specifics of the vulnerability. It also prevented him from attempting to exploit the bug after finding it, which means even he doesn’t know how big a risk there was.