United Airlines Inc starts official Bug Bounty Program - Star Alliance Security

United Airlines Inc starts official Bug Bounty Program - Star Alliance Security

Thursday a "Star Alliance Member" firm published information about the new official Bug Bounty Program of the United Airlines. United Airlines, Inc. commonly called as "United", is an American major airline headquartered in Chicago. It is the world's largest airline when measured by number of destinations served. This week the new bug bounty program of united airlines starts after all the airplane hacking troubles in the past years.

The owner of the new bug bounty program tries to capture all bugs across the main infrastructures to protect customers, own hardware or websites/services. Everybody is invited to cooperate by a participation but every researcher has to follow the guidelines of the bug bounty program. We are happy that the faa allowed the united airlines inc to startup the public program.

United Airlines Bug Bounty Program

At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers' privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we’ll gladly reward you for your time and effort.

Eligibility Requirements

To ensure that submissions and payouts are fair and impactful, the following eligibility requirements and guidelines apply to all researchers submitting bug reports:

  • All bugs must be new discoveries. Award miles will be provided only to the first researcher who submits a particular bug.
  • The researcher must be a MileagePlus member in good standing. If you’re not yet a member, join the MileagePlus program now.
  • The researcher must not reside in a country currently on a United States sanctions list.
  • The researcher submitting the bug must not be an employee of United Airlines, any Star Alliance™ member airline or any other partner airline, or a family member or household member of an employee of United Airlines or any partner airline.
  • The researcher submitting the bug must not be the author of the vulnerable code.

Bugs that are eligible for submission:

  • Authentication bypass
  • Bugs on customer-facing websites such as:
    • united.com
    • beta.united.com
    • mobile.united.com
  • Bugs on the United app
  • Bugs in third-party programs loaded by united.com or its other online properties
  • Cross-site request forgery
  • Cross-site scripting (XSS)
  • Potential for information disclosure
  • Remote code execution
  • Timing attacks that prove the existence of a private repository, user or reservation
  • The ability to brute-force reservations, MileagePlus numbers, PINs or passwords


If you have discovered a bug that meets the requirements, and you’re the first eligible researcher to report it, we will gladly reward you for your efforts. Below is our bounty payout structure, which is based on the severity and impact of bugs.

Bug Bounty payout structure
Severity Examples Maximum payout in award miles
  • Remote code execution
  • Authentication bypass
  • Brute-force attacks
  • Potential for personally identifiable information (PII) disclosure
  • Timing attacks
  • Cross-site scripting
  • Cross-site request forgery
  • Third-party issues that affect United


If you think you have discovered an eligible bug, we would love to work with you to resolve the issue.

  • Please email us at bugbounty@united.com and include "Bug Bounty Submission" in the subject line.
  • Within the body of the email, please describe the nature of the bug along with any steps required to replicate it, as well as pertinent applications, programs or tools used to discover the bug.
  • Include your legal name, MileagePlus number and phone number with your submission.
  • A drafted report including legible screenshots is greatly appreciated.

Please feel free to reach out to us at bugbounty@united.com with any questions regarding the bug bounty program. We will be sure to respond to you soon as possible. We look forward to hearing from you.




Rate this article: 
Average: 3.6 (11 votes)

Add new comment

Plain text

  • No HTML tags allowed.