US airline to reward bug-finding hackers Published duration 15 May 2015

image copyright Thinkstock image caption The airline said its in-flight software systems were not part of the bug bounty programme

US airline United has launched a reward programme for security experts who find bugs in the software on its websites.

Programmers can earn up to one million air miles for finding the most serious vulnerabilities.

The bug bounty programme does not cover software used in the jets in United's fleet of aircraft.

The reward programme comes soon after the US government warned about the security of software used on in-flight systems.

Legal threat

While many technology firms, such as Google, Microsoft, Facebook, reward programmers who find security bugs in their code, United is the first airline to set up and run such a system.

In a blog post announcing the programme , United said it was interested in hearing from researchers who had found issues that affect the "confidentiality, integrity and/or availability of customer or company information".

Rewards would be given for finding a wide variety of bugs. These include vulnerabilities in its mobile apps or bugs that let attackers bypass security controls or run their own code on the airline's websites to steal data.

It warned entrants against trying their attacks against its "live" systems and said any submission that used attack data would be disqualified and might result in legal action.

Anyone wishing to take part must already be a member of the airlines MileagePlus programme through which travellers accrue rewards for flying with the company.

"This is a really smart move by United Airlines," said Jason Steer, chief security strategist from FireEye. "Crowdsource testing for security weaknesses can be hugely valuable to organisations."

Mr Steer added that rewarding people with air miles was a "novel" way to motivate ethical hackers to join in.