United pays up on Bug Bounty program

A few months back United Airlines announced a “Bug Bounty” program where it offered up points to anyone who uncovered bugs in its websites, mobile apps or certain other customer-facing digital assets. And it turns out a few bugs have been reported, verified and the “bounty” paid out. Reports are scarce because the recipients are not really free to discuss the bugs in detail and also because they only get paid after remediation, but one such report on Twitter suggests the program is very much alive and well.

Reading through the thread which follows along that conversation there are a few interesting things to note:

  1. The United MileagePlus system can apparently not credit in amounts greater than 999,999 for any single transaction.
  2. This is not the first bug paid; one user claims 6 confirmed bugs identified. That’s a lot of bugs.
  3. The confirmation and resolution pace is somewhat slow; seems like about a 60-day process to confirm the bugs based on the reports.
  4. This one paid out for the most severe level of bug based on the chart, though the guy who found it claims it “wasn’t technically challenging though.” Which is a bit worrisome.


Turns out that the ability to easily mine award inventory for United and partner flights outside of the channels through which the company wants to publish that data isn’t a valid claim or I’d be filing a bug report. As it is I’ll just settle for having been “awarded” that cease and desist letter once and call it a day.

Never miss another post: Sign up for email alerts and get only the content you want direct to your inbox.

Seth Miller

I'm Seth, also known as the Wandering Aramean. I was bit by the travel bug 30 years ago and there's no sign of a cure. I fly ~200,000 miles annually; these are my stories. You can connect with me on Twitter, Facebook, and LinkedIn.


    1. Sure, but given the specific categories defined and the part where it appears these were all found/reported in the first few days of the Bounty it is still impressive.

Comments are closed.