It took Jordan Wiens six hours, or less than a day's work, to discover a high-severity bug on United Airlines' website, one that would impair the airlines ability to function well had the bug been exploited by unscrupulous individuals.
In exchange for Wiens' service, United Airlines has offered him a total of 1 million airline miles as a reward for his discovering the security flaw. That is a lot of airline miles and is equivalent to 40 round trips in the U.S. and Canada, 16 round trips to Europe and 12 round trips to Australia in coach class and 20 round trips in the U.S. and Canada, eight round trips to Europe and seven round trips to Australia in business class.
Last week, Wiens took to Twitter to announce that the airlines rewarded him the seven-digit bounty after he found a remote code execution flaw on one of its customer-facing website. He also posted a screenshot of his airline miles, showing two entries offering 999,999 miles in one entry and 1 mile in the other.
A remote code execution flaw can be devastating if exploited by attackers with a clear target. It can be used to gain unrestricted entry into an otherwise private system and inject malicious codes and software that would allow the attackers to take full control of the most sensitive portions of the system, putting the security of the airline and its staff and customers at high risk.
The agreement prevents Wiens from disclosing exactly what type of bug he discovered. He is also prohibited from trying to exploit the bug, which means he does not have an idea about how much or what kind of information could be accessed if the bug was exploited. He did, however, say that the bug "didn't seem as important," which was why he was surprised when United Airlines emailed him with his reward.
The 1 million air miles offered to Wiens is part of a bug bounty program announced by United Airlines in May, when it urged ethical hackers to scour its customer-facing websites and look for security holes that can be patched before someone else gets to them. In return, United Airlines offers to award air miles anywhere from 50,000 to those who report low-severity bugs up to 1 million miles, such as those awarded to Wiens.
"We are committed to protecting our customers' privacy and the personal data we receive from them, which is why we are offering a bug bounty program - the first of its kind within the airline industry," says United Airlines on its bug bounty page. "We believe that this program will further bolster our security and allow us to continue to provide excellent service."
As for where Wiens plans to go, he says he had been planning to take his wife to Hawaii on vacation, but with so many airline miles to take advantage of, his wife says he had to do better than Hawaii.
Photo: Bernal Saborio | Flickr