United hackers given million free flight miles By Chris Foxx

Technology reporter Published duration 16 July 2015

image copyright united

US airline United has rewarded two hackers who spotted security holes in its website with a million free flight miles each.

The flight provider operates a "bug bounty" scheme that rewards hackers for privately disclosing security flaws rather than sharing them online.

It has given the maximum reward of a million flight miles, worth dozens of trips, to two people.

One security expert said the scheme was a big step forward for online security.

"Schemes like this reward hackers for finding and disclosing problems in the right way. That makes the internet safer for all of us," said security consultant Dr Jessica Barker.

"Bug bounties are common in tech companies as they tend to understand online security a bit more, but other industries are catching up," said Dr Barker.

Cash incentives

The idea of responsible disclosure, reporting issues and giving companies time to fix them, is not new.

Big technology companies such as Yahoo, Google and Facebook offer hackers cash incentives to report bugs privately.

In return for receiving their flight rewards, hackers are forbidden from revealing the nature of the security holes they discovered.

"We believe that this program will further bolster our security and allow us to continue to provide excellent service," United said on its website.

The company declined to comment further.

image copyright Reuters image caption A million award miles could pay for dozens of internal flights in the US

"It's not always about hackers digging around looking for flaws. A hacker may be using a service and notice something a bit off," said Dr Barker.

"We all benefit if they look into that," she added.

Some critics of bug bounties say they can discourage companies from hiring professional security staff, because it's cheaper to offer hackers cash for disclosing bugs.

Dr Barker disagrees: "It should be part of an overall approach to security, but it's definitely a good approach.

"It encourages positive behaviour and shows young hackers that they can benefit from doing the right thing.