United Airlines has handed out another million-mile bug bounty award to a security researcher – this time a 19-year-old Dutch hacker who flew to Black Hat USA last week virtually free of charge.
Olivier Beg traveled from his home in Amsterdam to Las Vegas for the two-week hacking conference, spending just €5 on taxes, according to a report on Dutch site NOS.
The most serious bug reported by the teenager got him 250,000 air miles with the US carrier. Although details of the vulnerabilities are not publicly available, a malicious hacker could have exploited it to read someone’s password, the report claimed.
Beg has also found vulnerabilities in Yahoo, Google and Facebook software.
He’s not the first white hat to reap the rewards of United’s bug bounty program. Last July the airline paid out two awards worth one million miles each – one being for a flaw which could have allowed remote hackers to control the company’s website.
United Airlines claimed an industry first when it announced its bug bounty program to the public in May last year.
Awards range from 50,000 air miles for the likes of CSRF and XSS bugs up to the million-mark for remote code execution flaws.
It came in response to several major security alerts in the preceding months. Perhaps the most notable was an incident publicized in January 2015 when hackers used stolen user credentials to break into their online accounts and book flights using their air miles.
That particular incident also affected American Airlines, although the carrier doesn’t have a bug bounty program as yet.
However, some have complained that air miles aren’t a suitable reward for security researchers. If Beg was afraid of flying or fancied taking another airline, for example, the million air miles in his pocket would seem scant compensation for his efforts.
It’s also been pointed out that the IRS collects tax on every air mile ‘paid out’ like this.
Most Silicon Valley tech firms pay researchers in hard currency for finding serious vulnerabilities in their software.
In fact, even the likes of Uber pays cash – up to $10,000 for critical issues – rather than free rides in its cars.