A pair of hackers who spotted security flaws in the United Airlines website have each been given a million free flight miles as part of the company’s bounty program, which rewards those hackers that privately disclose security issues rather than leaking them online.
According to Reuters and BBC News reports, the move is a first for a US-based airline company, and United confirmed that they had distributed two one million mile rewards – the most that can be handed out under the program. However, they would not confirm social media posts claiming to be from individuals who had received smaller rewards from the airline.
United, unveiled its “bug bounty” program back in May, just a few weeks before technical issues forced its entire fleet to be grounded on two occasions: once because the airline was locked out of its own reservations system, preventing it from checking in its customers, and another due to issues with flight-plan dispatch software.
“Schemes like this reward hackers for finding and disclosing problems in the right way. That makes the internet safer for all of us,” security consultant Dr Jessica Barker told BBC News. “Bug bounties are common in tech companies as they tend to understand online security a bit more, but other industries are catching up.”
Bug bounties ‘a good approach,’ experts say
United is not the first company to use the promise of rewards to entice hackers to contact them directly to report issues or vulnerabilities. Google, Yahoo, and Facebook promise cash incentives, and Reuters asked other airlines if they had similar programs. Three declined to comment and a fourth did not respond.
On its website, United explained that the program would “bolster our security and allow us to continue to provide excellent service.”
“It’s not always about hackers digging around looking for flaws. A hacker may be using a service and notice something a bit off. We all benefit if they look into that,” Dr. Barker told BBC News, dismissing critics who claim that such programs discourage companies from hiring professional security firms.
“It should be part of an overall approach to security, but it’s definitely a good approach,” she said. “It encourages positive behavior and shows young hackers that they can benefit from doing the right thing. Bounties can also benefit smaller companies who can’t afford to give out cash rewards but can offer free products or services, so I hope we’ll see more and more bug bounties.”
(Image credit: Thinkstock)
—–
Follow redOrbit on Twitter, Facebook, Google+, Instagram and Pinterest.
Comments