The researcher must not reside in a country
currently on a United States sanctions list.
The researcher submitting the bug must not be an
employee of United Airlines, any Star Alliance™ member
airline or any other partner airline, or a family member
or household member of an employee of United Airlines or
any partner airline.
The researcher submitting the bug must not be the author
of the vulnerable code.
the following bugs are eligible for submission:
- Bugs that only affect legacy or
unsupported browsers, plugins or operating systems
- Bugs on internal sites for United employees or agents
- Bugs on partner or third-party websites or apps
- Bugs on onboard Wi-Fi, entertainment systems or
- Insecure cookie settings for non-sensitive cookies
- Previously submitted bugs
- Self-cross-site scripting
Bugs that are eligible for submission:
- Authentication bypass
- Bugs on customer-facing websites such as:
- Bugs on the United app
- Bugs in third-party programs loaded by united.com or
its other online properties
- Cross-site request forgery
- Cross-site scripting (XSS)
- Potential for information disclosure
- Remote code execution
- Timing attacks that prove the existence of a private
repository, user or reservation
- The ability to brute-force reservations, MileagePlus
numbers, PINs or passwords
United Airlines payout will be assessed from Low to high
risk. Low risk will payout 50,000 reward miles
(Cross-site scripting, Cross-site request, forgery,
Third-party issues that affect United), Medium risk will
payout 250,000 reward miles (Authentication bypass,
Brute-force attacks, Potential for personally
identifiable information (PII) disclosure, Timing
attacks) and High risk will payout the one million
reward miles (Remote code execution).
United has warned hackers that it will not allow anyone
attempt such things as injecting malicious code into
live systems, coercion or extortion of the airline's
employees. Anyone who attempts this will not be allowed
in the company's bug bounty program. Any hacker who does
attempt could face criminal charges.
For more information you can Google United
Airlines bug bounty program.