Friday, 15 May 2015

United Airlines To Reward Hackers Who Help Squish Nasty Bugs... Just Not In Its Planes

United Airlines claims to have become the first airline to offer a bug bounty programme, pledging to reward professional hackers with air miles for finding vulnerabilities in its systems. But, just a month after it banned security researcher Chris Roberts for tweeting about potential hacking of on-board Wi-Fi from flying with United again, it isn’t going to let anyone tinker with the systems inside its aircraft.

The programme is only open to those who report flaws in its websites and mobile applications, and United has specifically prohibited the reporting of bugs affecting ”onboard Wi-Fi, entertainment systems or avionics”. Anyone who does carry out testing of those systems will be immediately banned from the programme and could face “possible criminal and/or legal investigation”. United has also prohibited vulnerability scans or automated scans on United servers.

United flight at Denver airport, the same airport pro hacker Chris Roberts took off from before a tweet saw the airline ban him.

United Airlines had not responded to a request for comment. It had not issued an announcement about the bug bounty programme, which appeared to come online just today, according to the Wayback Machine Internet Archive.


There are three rankings of bug in the United programme. One covers a flaw that would allow for a remote hacker to execute code on a United property and is ranked as high, resulting in a pay out of as many as 1,000,000 miles. A medium severity flaw, which includes a login bypass or access of identifying information of customers, comes with a reward of up to 250,000 miles, whereas small fry vulnerabilities could win a researcher 50,000 miles.

Roberts, who tweeted about potential problems in an aircraft’s communications systems whilst on the in-flight Wi-Fi and was subsequently removed from the flight to have his electronics seized, said the bug bounty should be a positive thing, as long as it wasn’t used against him in court. He said he’s still waiting on his seized equipment, though he hasn’t been charged, and told FORBES he feared the bug bounty scheme could be used to show he was explicitly prohibited from publicly discussing possible weaknesses in plane electronics.

But the United website does hint it’s trying to do something positive, even if it isn’t willing to thank those finding problems in its most critical systems. “We are committed to protecting our customers’ privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service,” United said.

Source
Forbes

No comments:

Post a Comment