Vulnerability Disclosure Program

At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers' privacy and the personal data we receive from them, which is why we offer a vulnerability disclosure program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential vulnerability that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort.

Before reporting a security vulnerability, please review the "United Terms". By participating in the vulnerability disclosure program, you agree to comply with these terms and the requirements and guidelines included here.

What is a vulnerability disclosure program?

A vulnerability disclosure program permits independent researchers to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a vulnerability.

Eligibility requirements

To ensure that submissions and payouts are fair and relevant, the researcher and the vulnerability must be eligible according the United disclosure program terms, including, but not limited to, the following requirements:

  • All vulnerabilities must be new discoveries. Award miles will be provided only to the first researcher who submits a particular vulnerability.
  • The researcher must be a MileagePlus® member in good standing of at least 18 years of age. If you're not yet a member, join the MileagePlus program now.
  • The researcher must not reside in a country currently on a United States sanctions list.
  • The researcher submitting the vulnerability must not be a current or former employee of United Airlines, any Star Alliance™ member airline or any other partner airline, a contractor of United Airlines, or a family member or household member of an employee of United Airlines or any partner airline.
  • The researcher submitting the vulnerability must not be the author of or have any prior affiliation with the vulnerable code.

Target information

United may determine from time to time what constitutes an eligible vulnerability. Below is a summary of all the targets for which United will review vulnerability submissions:

  • United Airlines commercial website (united.com)
  • United iOS and Android apps
  • United MileagePlus X iOS and Android Apps
    • The MileagePlus X iOS application can be downloaded from the Apple App Store.
    • The MileagePlus X Android application can be downloaded from the Google Play Store.

Below you can find the in-scope and out-of-scope targets for the vulnerability disclosure program.

In-scope

  • *.united.com - Website testing
  • United Mobile App for iOS - Mobile testing
  • United Mobile App for Android - Mobile testing
  • MileagePlus X App for iOS - Mobile testing
  • MileagePlus X App for Android - Mobile testing

Out-of-scope

United uses many multiple 3rd party sites/services which are considered out of scope for this program. Additionally, the scope list is subject to change. The following targets are considered out-of-scope:

  • Onboard Wi-Fi, entertainment systems or avionics
  • Corporate email
  • 3rd party applications/services
  • Non-production environments
  • hotels.united.com
  • vacations.united.com
  • united.jobs
  • newsroom.united.com
  • ir.united.com
  • hub.united.com
  • jobs.united.com
  • opinions.united.com
  • globallinks.united.com
  • dutyfree.united.com
  • bigmetalbird.united.com
  • globalservices.united.com
  • uatp.united.com
  • thanksamillion.united.com
  • unitedmileageplus.com
  • secure.unitedmileageplus.com
  • newspaper-miles.com
  • *.ual.com
  • *.mileageplus.com
  • cruises.united.com
  • ualmiles.com
  • unitedshop.summitmg.com
  • united-veterans.jobs
  • clubconferencerooms.united.com/unit
  • theexplorercard.com
  • mpclubcard.com
  • myexplorercard.com
  • unitedexplorecard.com
  • unitedexplorer.com
  • unitedexplorercard.com
  • mileageplusawards.com
  • mpdining.rewardsnetwork.com
  • m.mpdining.rewardsnetwork.com
  • news.united.com/responsys
  • survey.continental.com/vovici.net
  • booking.unitedcargo.com
  • chargerback.com

Rules of engagement

  • Provide details of the vulnerability finding, including information needed to reproduce and validate the vulnerability using the submission form.
  • All vulnerabilities must pose a security threat in order to be eligible for a reward. United is ultimately responsible for determining the severity of an issue.
  • Vulnerabilities or potential vulnerabilities you discover may not at any time be disclosed publicly or to a third-party. Doing so will disqualify you from receiving award miles.
  • Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of United services.
  • Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of United accounts that are not your own.
  • Do not attempt any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi.
  • Do not attempt to target United employees or customers using methods, including social engineering attacks, phishing attacks or physical attacks.
  • Do not perform physical attacks against United airport facilities.
  • Do not use automated scanners/tools.

Vulnerabilities that are eligible for submission:

  • Remote code execution
  • SQL injection
  • XXE
  • XSS
  • Server-side request forgery
  • Directory traversal - local file inclusion
  • Authentication/authorization bypass (broken access control)
  • Privilege escalation
  • Insecure direct object reference
  • Misconfiguration
  • Web cache deception
  • CORS misconfiguration
  • CRLF injection
  • Cross site request forgery
  • Open redirect
  • Information disclosure
  • Request smuggling
  • Mixed content

Vulnerabilities that are not eligible for submission:

  • Security best practices i.e. security headers, etc.
  • Social engineering, phishing
  • Physical attacks
  • Missing cookie flags
  • CSRF with minimal impact i.e. login CSRF, logout CSRF, etc.
  • Content spoofing
  • Stack traces, path disclosure, directory listings
  • SSL/TLS best practices
  • Banner grabbing
  • CSV injection
  • Reflected file download
  • Reports on out-of-date browsers
  • DOS/DDOS
  • Host header injection without a demonstrable impact
  • Scanner Outputs
  • Vulnerabilities on third-party products
  • User enumeration
  • Password complexity
  • HTTP trace method
  • DMARC
  • Clickjacking
  • SPF record
  • Insufficient anti-automation
  • Rate-limiting attacks
  • Self-XSS

Severity of the vulnerabilities reported

The reward for disclosing an eligible vulnerability may vary depending on the severity of the vulnerability. The United Security team will determine the severity of the vulnerability after reviewing the submission, using a combination of the Common Vulnerability Scoring System (CVSS) and OWASP Risk Rating Methodology. Researchers will be paid out upon successful validation of their submission.  Several submissions may be considered one vulnerability at United's discretion. 

Maximum payout in award miles according to vulnerability severity

SeverityMaximum payout in award miles
Critical1,000,000 miles
High500,000 miles
Medium250,000 miles
Low50,000 miles
Informational0 miles

Submissions

Please submit a report to the United vulnerability disclosure program by confirming that you understand and accept the policy and terms and conditions, and by using the submission form included here.