United Airlines has rewarded security researchers with millions of frequent flier miles for finding security vulnerabilities as part of its bug bounty program.
Bug bounty programs have grown significantly in popularity as companies seek to proactively address security problems and shortcomings in their applications that can harm User Experience. Such flaws can not only be embarrassing, but extremely costly, in both the short and long terms.
Unlike companies such as Google, Microsoft and Dropbox, which are paying thousands of dollars for some bugs, United, one of the world's largest airlines, is rewarding those who discover bugs with frequent flier miles that allow them to travel the globe. In some cases, these frequent flier rewards are significant and dwarf the monetary compensation some other companies are providing.
According to Reuters, United has confirmed two bug bounty awards of 1 million miles. The approximate dollar value of each award is $25,000, and with a million miles, the recipients could travel around the world a few times.
Cash Isn't Always King
One of the recipients of a million mile bug bounty is Jordan Wiens, who runs a security company called Vector 35.
"There were actually two bugs that I submitted that I [was] pretty sure were remote code execution, but I also thought they were lame and wasn’t sure if they were on parts of the infrastructure that qualified," he told Threatpost. "My expectation was that they counted, but I figured they’d award me 50,000 miles or something smaller."
Needless to say, Wiens was pleasantly surprised when he saw that United had added a million frequent flier miles to his account.
Wiens' experience highlights the fact that some companies have a great opportunity to develop attractive bug bounty programs without cash rewards. While airline miles have significant monetary value, there are many companies with desirable if not valuable products and services, and they should look at opportunities to leverage those as bug bounty rewards. In some cases, they may find that rewards consisting of products or services are more attractive and can be offered in greater quantity, providing extra incentive to security researchers.
That's important because, while the cash rewards associated with bug bounty programs continue to grow, the ridiculously high value of certain bugs to those who would use them maliciously still means that companies will likely be unable to match the dollars available in black markets.