We’re really happy to see companies getting serious about rewarding white hat hackers. The latest example of this is when [Jordan Wiens] submitted two bugs and was awarded 1,000,000 Sky Miles on United Airlines.
The bounty is so high because he uncovered a method of remote code execution which United has since patched. Unfortunately, United requires bug secrecy so we’re not getting any of the gritty details like we have for some of the recently discovered Facebook vulnerabilities. That’s really too bad because sharing the knowledge about what went wrong helps programmers learn to avoid it in the future. But we still give United a big nod for making this kind of work and responsible reporting worthwhile. [Jordan] did an AMA last night which covered some more general hacking questions.
If you want to turn your leet skills into free travel you need to be a MileagePlus member and not reside in a US sanctioned country. Details on United’s Bug Bounty page.
Someone dropped a decimal place here – it’s 1,000,000 – not 100,000
D’oh… fixed, thanks!
Just like Office Space but in the opposite way… “I always mess up on some mundane details…” (quot.)
Yeah cool, but.. how the heck do I know if the bug I spent my precious time working on is or not a new one if there ain’t a database for me to check?
Read the fine print carefully. You’ll go to jail if you try to mess with a live system, or a plane. (Seems to be isolated to customer-facing apps.)
What they’ve done is enter the marketplace – they hope that a million miles on a United jet is worth more than the bid from some other party. This may get them security in avionics, or engine control (or not) but isn’t likely to flag problems in their financials, reservation system, or … someone who can alter their own balance in a frequent-flier system.
Read the conditions: you get no bonus for messing with the avionics / in board WiFi/entertainment system. This would be to dangerous, because someone cold argue he/she just started having because of the bounty. Guess what a lawyer would do after a hack based crash… – Probably you would need a plane on the ground with the engines secured AND a strict NDA without anonymity to start a competition to hack a plane. But will there ever be an airline ready to even take this risk?
Yes, because nothing will cause a plane to auger-in nose-first on a mountain faster than people not being able to tweet and being forced to watch “Galaxy Quest” with Thurmian as the spoken language(and Korean subs)…
The onboard WiFi and entertainment are dangerous to mess with because they are often wired into the same systems as everything else. For example, recently there was an exploit in a Jeep entertainment system that allowed remote control of the entire vehicle including the engine, brakes, transmission, and steering.
A jeep is not a jet airliner. They are not on the same system. Infact most modern aircraft subsytems were designed while dial up internet was in its infancy.
I live in Australia where white hat hacking is just as illegal as black hat hacking so I guess the planes will be falling out of the sky here, in future.
Fyi: SkyMiles is term used by Delta Airlines that references their point system.
Well, some colleges have their own jet aircraft for research purposes. I think Purdue is an example, and others with Atmospheric Sciences (e.g. meteorology). A student at one of those colleges could get access (through proper channels) to test one on the tarmac. Generally the jets are older, so may not have the newest avionics, or entertainment systems.
Flying these days is so awful that getting a million air miles for free is like getting a million free visits to the proctologist.