United Airlines' bug bounty program awarded a 19-year-old security researcher one million airmiles for his discovery of multiple vulnerabilities.
As reported by Nederlandse Omroep Stichting (NOS), the Dutch Broadcast Foundation, 19-year-old Olivier Beg flew from his home in Ansterdam to Las Vegas, Nevada, where he attended several information security conferences in the beginning of August.
Pretty cool, huh? It gets better.
Beg got there by using a small fraction of the one million airmiles United Airlines awarded him after he found multiple vulnerabilities as part of the company's bug bounty program, which launched back in May 2015.
"That cost me 60,000 points," he told NOS. "And five euro airport tax."
In total, Olivier reported approximately 20 vulnerabilities to United Airlines. He has not provided details on any of the bugs he found, but he did say he received around 250,000 airmiles for the most severe security issue he encountered.
That particular flaw, according to United Airlines' bug bounty website, was likely a "medium"-severity bug that could have allowed an attacker to achieve authentication bypass, launch brute-force attacks or timing attacks, or disclose personally identifiable information (PII).
The "high"-severity bugs, by comparison, are remote code execution flaws. Any researcher who finds that type of issue under United Airlines' program receives a maximum payout of one million airmiles.
United Airlines' bug bounty program is unique in that it awards airmiles as a reward for finding vulnerabilities. Similar programs in the tech industry reward money, with Apple having recently announced the creation of its own program that will pay out a maximum of USD 200,000 for bugs found in its firmware.
The security researcher is familiar with many of those programs, having reported vulnerabilities to Yahoo, Facebook, Google, and others in the past.
Bravo to Beg for his excellent work and for adhering to the principles of responsible disclosure! He deserves the airmiles.
As computer security expert Graham Cluley notes, Beg should be careful to note that airmiles don't always come free. According to an announcement by the United States Internal Revenue Service, miles earned as part of compensation could be considered taxable. Though the IRS does not appear to have gone after anyone for taxes on earned miles, with United Airlines having been priced at 2 cents per mile in the past, Beg could rack up a tax bill of USD 20,000.
But even then, his finds for other bug bounty programs could very well cover those expenses.