A duo of hackers have scored big, nabbing a bug bounty that landed each of them one million frequent-flier miles on United Airlines for finding a security flaw within its airline’s computer systems.
The awards granted to the two was developed under a security program the airliner started back in May.
Luke Punzenberger, the spokesperson for United Airlines announced Thursday that two people were granted the maximum award of one million miles among other awards. Punzenberger didn’t care to elaborate on what security flaw hackers identified, aside from noting it was a remote-code execution flaw, but said the information had been turned over to company researchers.
“We’re confident that our systems are secure,” Punzenberger added.
The duo, Jordan Wiens, the owner of the Florida-based security firm Vector, and his partner Kyle Lovett, reported the vulnerability to United Airlines about a remote-code execution flaw found in the airline’s website. 35-Year-Old Wiens said he discovered the vulnerability after scouring the site for around six hours, and wasn’t even aware how critical is was when identified.
Wiens posted a photo of his one million frequent flier miles awarded to him by United Airlines:
— Jordan Wiens (@psifertex) July 10, 2015
United is no stranger to technical glitches, ever since 2012 the airliner has had major problems with their technical infrastructure. Just last week, all United flights were briefly grounded and more than 1,000 flights were delayed when their system had an issue, which the airliner blamed on a faulty router.
Airlines “take all necessary precautions” to keep customer data secure, and nearly all airliners have internal security systems in place that monitor networks for irregular activity and intrusions, said Jean Medina, a spokeswoman for the industry trade group Airlines for America. However, she said that she isn’t aware of any other airliner offering up a bug bounty.
Bug bounties are programs companies put in place that allow hackers to try and hack into their service. If successful, the hacker must responsibly disclose the flaw to the company, where they will then generally be handsomely rewarded. Bug bounty awards differ, as some get cash prizes easily up to $30k while others get free merchandise and tools from companies.
Companies include Google, Yahoo, Microsoft, Apple and some of the biggest companies in the world all participate in bug bounty programs and have patched severe vulnerabilities because of it. Not only does the responsible disclosure earn you a prize from the company, it will often land you a notable award directly from the company mentioning you.
For example, Facebook, asks hackers for a “reasonable time” before hackers make their findings public, and often ask hackers to wait to disclose their findings til a patch is made available. This prevents hackers from trying to abuse the flaws while the company is able to safely and securely patch it.
Wiens and Lovett are sure to be a pair of the few hackers who have been granted a bug bounty award in the airline industry.