
Auditing United Airlines | Bug Bounty Program

A few months ago, United Airlines launched a Bug Bounty program with a slightly different twist compared to the usual ones. Instead of rewarding participants with a sum of money, they opted to offer miles that can be used for flights or other perks such as car rentals, hotel stays, or merchandise with both their airline and those within the Star Alliance. Rewards range from 50,000 to 250,000 up to 1,000,000 miles, operating essentially as loyalty points. For instance, a flight from Bucharest to Dublin costs around 30,000 miles.

A few days after the program's launch, I began searching for vulnerabilities in *.united.com (I believe that was how it started—later they narrowed it down to only a few subdomains, but they specified in the TOS that they could change the rules as they pleased, so no comments there). 

After two months of waiting and discovering 29 vulnerabilities, I received my first response: a reward of 50,000 miles within the MilesAge program. There are still three pending vulnerabilities (they were acknowledged but not yet fixed). I suspect they will also be rewarded with 50,000 each, resulting in a total of 200,000 miles. Considering the testing lasted only two days, I can say I'm satisfied.


