Teen hacker flies to Black Hat on his one million free airmiles

shutterstock_307863665

Viral music videos aside, United Airlines does more than break guitars!

It also pays bug bounties of up to 1 million miles, and that’s exactly how Dutch security researcher Olivier Beg got to Defcon and Black Hat in Las Vegas last week.

Beg told Dutch Public Broadcasting that the flight to Vegas cost him 60,000 points, plus €5 out of pocket to cover tax.

Beg, who’s 19, reported a total of about 20 bugs to United, with the largest bounty netting him 250,000 miles.

He wasn’t at liberty to describe the bugs, but we do know that the airline pays out that much for medium-risk vulnerabilities, including login field bypass, brute-force attacks, and holes that might reveal personally identifiable information (PII), such as someone’s password.

United launched its bug bounty program 15 months ago.

Bug bounties, which reward security researchers for responsible disclosure of vulnerabilities, are of course offered by many tech companies, including Facebook, Google and Microsoft.

The bounties more typically come in the form of cash, rather than free miles: Google has even offered up to “infinity dollars” in its program, although most bounties are far less.

United’s rewards range from 50,000 in free air miles for low-level bugs (cross-site request forgery, bugs in third party software affecting United), to 1 million miles for the highest level kind of bug – remote code execution (RCE).

To qualify for a reward, hackers need to be signed up as members of the airline’s MileagePlus reward program – and they need to comply with a strict set of eligibility rules.

United was one of the first non-tech-specific companies to adopt a bug bounty program.

Lately, we’ve also seen bug bounties offered by the likes of the US Department of Defense, with its Hack the Pentagon program, as well as Tesla, General Motors, Fiat Chrysler, and others.

Since launching the bug bounty last year, United Airlines has rewarded at least two hackers with the million-mile prize for RCE flaws, including a vulnerability researcher from Florida and a Cisco employee.

As of a year ago, that 1 million mile prize translated into about 40 domestic round-trip flights in the US, 20 round-trip flights from the US to Europe, or eight first-class trips.

In other bug bounty news, Apple launched its own program last week.

As it is, when the FBI was looking for third parties to help it break into a terrorist’s iPhone, Apple caught some flak over its lack of a vulnerability rewards program: without a bug bounty program, there’s little incentive for researchers to share their findings directly with Apple.

The newly arrived program is invitation-only and nicely lucrative, with bounties that go up to $200,000.


Image of plane courtesy of Greg K__ca / Shutterstock.comShutterstock.