Vulnerability researcher Olivier Beg from Amsterdam has been handsomely rewarded with one million airmiles by United Airlines, after finding some 20 security holes in the company’s software.
As the Dutch Broadcast Foundation reports, the 19-year-old has benefited from the bug bounty scheme that the airline introduced last year to encourage bug hunters to disclose their findings responsibly to the airline rather than publish them to others on the net who might attempt to exploit them.
According to reports, the most serious bug found by Olivier Beg earned the teenager a stonking 250,000 airmiles. He claims to have found vulnerabilities in software from other companies including Yahoo, Google and Facebook.
All the signs are that there is certainly the need for airlines to run such bug bounties – United has suffered in the past from hackers breaking into customers’ flight reward accounts, and has been criticised more recently for its tardy response to flaws reported in its flight reservation system.
Personally, I think it might be better if firms like United offered researchers hard cash rather than airmiles for their efforts. After all, what if you’re a bug hunter who is petrified of flying, or simply cannot stand the food on United planes? Surely you don’t want to discourage those folks from responsible disclosure…
Regardless, a bug bounty is better than no bug bounty – even if it’s only counted in airmiles.
And don’t think that Olivier Beg is now flying around the world for free. He says he didn’t have to pay for his flight Las Vegas last week, but still had to pay five Euros airport tax…
PS. My thanks to Win Remes who points out that there may be a painful sting in the tail for anyone receiving “free” airmiles: