19-year-old wins one million airmiles after finding United Airlines bugs

19-year-old wins one million airmiles after finding United Airlines bugs

Vulnerability researcher Olivier Beg from Amsterdam has been handsomely rewarded with one million airmiles by United Airlines, after finding some 20 security holes in the company’s software.

As the Dutch Broadcast Foundation reports, the 19-year-old has benefited from the bug bounty scheme that the airline introduced last year to encourage bug hunters to disclose their findings responsibly to the airline rather than publish them to others on the net who might attempt to exploit them.

According to reports, the most serious bug found by Olivier Beg earned the teenager a stonking 250,000 airmiles. He claims to have found vulnerabilities in software from other companies including Yahoo, Google and Facebook.

Sign up to our free newsletter.
Security news, advice, and tips.

All the signs are that there is certainly the need for airlines to run such bug bounties – United has suffered in the past from hackers breaking into customers’ flight reward accounts, and has been criticised more recently for its tardy response to flaws reported in its flight reservation system.

Personally, I think it might be better if firms like United offered researchers hard cash rather than airmiles for their efforts. After all, what if you’re a bug hunter who is petrified of flying, or simply cannot stand the food on United planes? Surely you don’t want to discourage those folks from responsible disclosure…

Regardless, a bug bounty is better than no bug bounty – even if it’s only counted in airmiles.

And don’t think that Olivier Beg is now flying around the world for free. He says he didn’t have to pay for his flight Las Vegas last week, but still had to pay five Euros airport tax…

PS. My thanks to Win Remes who points out that there may be a painful sting in the tail for anyone receiving “free” airmiles:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

11 comments on “19-year-old wins one million airmiles after finding United Airlines bugs”

  1. Simon

    Agreed on the rewards. Discovering bugs and bring them to the table takes integrity and intelligence, something that's a rarity these days.

    Generous bounty rewards is likely to discourage wrongdoing and show appreciation.

  2. Mark Z

    60 bucks to fly coast to coast does sound fun, thank you.

  3. Benedikt MORAK

    Graham you write crap. of course an Airline will give miles, costs them far less than giving cash. and gives the people chances to go places where they for sure would-could not go otherwise. don't like the food or have a fear of flying? don't worry, THAT to happen with a 19 year old will be rather rare.

    1. Graham CluleyGraham Cluley · in reply to Benedikt MORAK

      I've heard a fair few people say that they are particularly phobic of flying United. If I had a bad experience once I'd probably feel a bit miffed that I had another 940,000 airmiles with them rattling about in the bottom of my bag.

  4. Michael Ponzani

    Dear Mr. Cluely:

    They can't live without their taxes! Just listen to the Beatles, "Taxman". There's a remake of this live in Japan without John Lennon who went Kaput through that PP head's gun. However, since the Beatles were the greatest drug band in history. Wilson Byrant Key wrote about this in his Subliminal Seduction books. They have been suppressed as were Dr. Antony Sutton's books about the international financiers.
    PS. Cluely is a Great Name for sniffing out crimes!

    1. Graham CluleyGraham Cluley · in reply to Michael Ponzani

      I didn’t understand most of what you wrote, but I can tell you that Cluley is an even better name.

  5. Michael Ponzani

    Since the Beatles were the greatest drug band in the world…and led to the ruination of many lives, I dont' reall care in the long run what happened to them. Probably financed by Tavistock or MK Ultra.

  6. Michael Ponzani

    I can't type for Sheiss!

  7. Rex

    What type of an article opens with out of date photos of the airline, praise the young man then slams the airline. The question should be are you qualified to write or are you a poser?

    1. Graham CluleyGraham Cluley · in reply to Rex

      Why shouldn't Olivier Beg be praised for finding vulnerabilities? He was working within the rules of United's bug bounty program ( https://www.united.com/web/en-US/content/Contact/bugbounty.aspx ) and if it weren't for him then one can assume that someone malicious might have found the vulnerabilities and exploited them.

      In my opinion United is lucky to have people prepared to find the security holes in its systems for a fraction of what it would cost if they had bothered to find them itself.

      Out of date photos of the airline? Sorry about that. But still, hardly as dangerous as out of date software, right?

  8. Bill

    Complete wrong info. United miles cost about 2.1 cents per mile. So the value of 250000 miles is about $5K. That hacker got screwed. Probably could have sold the exploit for 10 times that. Oh and the excise tax is 7.5 percent. So the correct tax would be about $393 and not 20k. Since these were awarded though it's United's problem on the tax.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.