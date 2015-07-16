| July 16
July 16 United Continental Holdings Inc
has awarded millions of frequent flier miles to hackers who have
uncovered gaps in the carrier's web security, in a first for the
U.S. airline industry.
United confirmed with Reuters that it has paid out two
awards worth 1 million miles each, worth dozens of free domestic
flights on the airline. United did not confirm tweets from
individuals who say they have been paid smaller awards as well.
The Chicago-based carrier has hoped to trailblaze in the
area of airline web security by offering "bug bounties" for
uncovering cyber risks. Through the program, researchers flag
problems before malicious hackers can exploit them. The cost can
be less than hiring outside consultancies.
Three of United's competitors declined to comment on bug
bounty programs. A fourth was not immediately available for
comment.
Trade group Airlines for America said in a statement that
all U.S. carriers conduct tests to make sure their systems are
secure.
United unveiled the approach in May just weeks before
technological glitches grounded its entire fleet twice,
underscoring the risks that airlines face. One
incident locked the airline out of its reservations system,
preventing customers from checking in, and another zapped
functionality of the software United needed to dispatch its
flight plan.
"We believe that this program will further bolster our
security and allow us to continue to provide excellent service,"
United said on its website, declining additional comment.
Jordan Wiens, a researcher focused on cyber vulnerabilities,
tweeted last week that he received United's top reward of 1
million miles for exposing a flaw that could have allowed
hackers to seize control of one of the airline's websites.
"It's really interesting that United did what they did," he
said in an interview. "There actually aren't that many companies
in any industry outside of technology that do bug bounties."
Wiens said it was normal for large companies such as United
to have bugs in their websites.
Terms of the agreement prohibit Wiens from disclosing the
bug he discovered. The terms also required that Wiens reveal the
supposed problem to United without trying to exploit it, meaning
he does not know how much information he could have accessed or
manipulated.
Beyond the bounty, United said it tests systems internally
and engages cybersecurity firms to keep its websites secure.
