United Airlines Invites Hackers To Find Security Vulnerabilities

An anonymous reader writes: Following a recent spike of interest regarding the potential to hack planes, United Airlines has created the first rewards-for-exploits scheme in the aviation industry. The 'Bug-Bounty' program offers up to a million air miles for submitters who find a specific range of exploits in the company's websites and digital infrastructure. The scheme not only bans participants from probing on-board flight systems but threatens criminal prosecution for any such attempt.

Goodie !

[randalware]

I will make reservations to Paris for two.
Then go visit Dr. Falkin.

bug bounty but no scanning

sounds odd they place the rule of no scanning of their network.
how is anyone suppose to find out what the structure is without probing

Screw That.

[TechyImmigrant]

I've got all the points and arse ache I need.
I want a status upgrade. PQMs or go away.

Translation

[countSudoku()]

Translation: We can't afford (read: won't pay) for real security personnel, so we'll let strangers do it on a dare and not even to any interesting assets like a fucking plane! No, just hack our shitty web site and we'll offer you some "free miles" that will be highly restricted and next to worthless, but don't fear, wherever you end up going will be a horrible journey filled with ignorant TSA agents frisking your panties and smelling your shoes and then if your fucking pilot decides NOT to crash the plane into a building or a mountain you might end up killing yourself at your destination rather than face the social rape that is modern air travel.

Re:Translation

[magarity]

Translation: We can't afford (read: won't pay) for real security personnel

In all fairness, United is a huge company and like any huge company has tremendous inertia. Probably it's nearly impossible to get IT security bugs properly identified and fixed even if the CEO came to daily scrum meetings. A bounty for external parties is at least a realization they have this problem.

Re:Translation

[TechyImmigrant]

I'm a united frequent flyer.

To get an upgrade on an international (atlantic or pacific crossing) flight will cost you 30,000 points and $500.
The points have no value without extra money.

Status is everything, points accumulate faster than you can spend them if you are a frequent flyer. With status you don't get a middle seat, you're first in line for upgrades, they don't bump you on overbooked flights. Status matters.

Re:wtf

[spiritplumber]

Heh. The problem with half these contests is that two weeks later they say "No, contest over and if you publish a vulnerability we'll sue you".

Following a recent spike ....

[PPH]

... of interest regarding the potential to hack planes, United offers rewards for finding vulnerabilities in their ground-based systems. But no trying to hack planes, or you'll be in trouble.

I see a certain logic fail here.

If I get into United's reward system....

[Glasswire]

and give myself a million miles, does that mean United will give a second million? Or just let me keep mine? So what do I need them for?

it's about taking control of the story/keywords

[SuperBanana]

> Translation: We can't afford (read: won't pay) for real security personnel,

Eh, not really. I guarantee you they have a lot of "real" security personnel.

This is about taking over control of the story; it's a sort of "pay no attention to the thing we don't want you to hear about" (ie the fact that their onboard infotainment/networking and satellite uplink systems are ludicrously insecure) and "pay attention to this other thing."

Now when you search for "united hacking", you'll get a billion stories about the bug bounty, and few about the original problem - that a passenger was able to walk all over stuff he shouldn't have been able to. It's already starting to work, a few hours in:

https://imgur.com/0rGuKaL

It also helps them look, to shareholders/the market/the public, like they're "responding" and making an effort to "improve security."