United Airlines vulnerability disclosure program | United Airlines

Rules for the United Airlines Vulnerability Disclosure Program

Important: The following rules, the United Privacy Policy and the MileagePlus Program Rules constitute the rules and other provisions (collectively, “Rules”) of the United Airlines Vulnerability Disclosure program (the "Program"). By participating in the Program, you indicate your acceptance of these Rules and agree to abide by them. It is your responsibility to read and understand all of the Rules. These Rules can be supplemented by the Program site but cannot be superseded or changed, except in writing from United Airlines or any of its affiliates (collectively, "United"). The most current Rules may be found on united.com and this is the final authority on the Rules. The Rules on united.com shall be deemed to supersede any prior or conflicting versions thereof.

General conditions

1. The Program is offered at the discretion of United and United has the right to terminate the Program, in whole or in part, or to change the Rules, benefits, conditions of participation, qualification criteria or award levels, in whole or in part, at any time, with or without notice.
2. United shall determine what constitutes a vulnerability ("Vulnerability" or "Vulnerabilities") and establish the criteria and process for Vulnerability submission and the benefits associated therewith and may post such criteria and process on the Program site from time to time.
3. The Rules control your participation in the Program and no covenants at law or in equity shall be implied or incorporated, all of which are expressly disclaimed. United has the sole right to interpret and apply the Rules. IN NO EVENT SHALL UNITED BE LIABLE TO A MEMBER, OR ANYONE ACTING ON THE MEMBER’S BEHALF, FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL DAMAGES, INCLUDING LOST REVENUE OR PROFITS, ARISING OUT OF THE ACTS OR OMISSIONS OF UNITED IN CONNECTION WITH THE PROGRAM, OR COSTS OR ATTORNEYS’ FEES. Any abuse of the Program or failure to follow the Rules, any violation of law, rule, or regulation, any conduct detrimental to the interests of United, any fraudulent activity or attempted fraudulent activity, any dissemination of information designed to defraud United, or any misrepresentation of any information furnished to United or its affiliates by any Member, anyone else acting on the Member's behalf, or any third party (collectively, “Prohibited Conduct”), may result in United exercising any one or more of the following remedies (“United’s Remedies”), with or without notice to the Member: (a) the termination by United of such Member’s membership in MileagePlus (including without limitation any Premier or Million Miler status, if applicable), (b) the removal or cancellation by United of any or all accrued mileage, Premier Qualifying Credits, lifetime miles, and any pending or outstanding award redemptions, certificates, or benefits (including without limitation any benefits associated with Premier (and/or Million Miler) status, if applicable), (c) the confiscation of any award tickets, denial of boarding with respect to any award ticket holders or, at United's discretion, completion of the travel only upon payment of an applicable revenue fare (and applicable taxes and fees), or (d) the loss of other Program and MileagePlus Program `benefits. In addition to the foregoing United’s Remedies, United may, upon written request, require the Member to repay the value, as determined by United, of the awards redeemed, certificates or benefits acquired as a result of Prohibited Conduct and, in the event of a Member’s failure to repay, may initiate legal action to recoup the value of awards redeemed, certificates or benefits acquired by the Member through Prohibited Conduct. A "Member" is a United MileagePlus member.
4. In the event United suspects Prohibited Conduct, United reserves the right, with or without notice to the Member, (a) to delay or suspend all activity (including without limitation any mileage redemption activity and processing of any mileage redemption requests for any awards, certificates or benefits, including without limitation any Premier (and/or Million Miler) status benefits) in any MileagePlus account, and (b) to audit or investigate any MileagePlus account at any time. During the course of an audit or investigation, a Member’s account information may be shared with any third party with whom United has contracted to assist in performing such audit or investigation. While the account is suspended, the Member may continue to accrue miles and Premier Qualifying Credits in the account, but no mileage redemptions or other transactions will be permitted and any outstanding award redemptions, certificates and benefits (including without limitation any Premier (and/or Million Miler) status benefits, if applicable) will be subject to cancellation or suspension. Cancelled award redemptions, certificates and benefits must be surrendered to United upon United’s request. Upon completion of the audit or investigation, if Prohibited Conduct has been detected by United, United may exercise any one or more of United’s Remedies or any other remedies available at law or in equity.
5. The Program is not a game, competition or loyalty program.
6. All calculations made in connection with the Program, including without limitation, the eligibility and severity of a Vulnerability and the associated award miles will be made by United in its discretion and such calculations will be considered final.
7. The Program is open only to Members who are eighteen (18) years of age or older at time of submission and are not residents of any country on the current United States sanctions list. Current or former employees, officers and directors (and their respective immediate family members (spouse, parents, siblings, children) or household members (whether or not related)) of United Airlines, Inc. or its parent(s), subsidiaries, affiliated companies and any Star Alliance™ member airline or any other partner airline, agents, or contractors, and anyone who participates in the administration of the Program are not eligible.
8. Neither United’s waiver or consent to a deviation from the Rules nor any course of dealing shall be construed as a waiver by United of any subsequent violation of the Rules and United may invoke United’s Remedies for a violation of the Rules despite any such prior waiver or consent.
9. Members may be required to supply a password and/or other security measures when conducting certain transactions in writing, by phone or on the internet for security or other purposes. Members are responsible for maintaining the confidentiality of their password and other security credentials, as applicable.
10. Neither participation in the Program nor anything contained in these Rules shall be construed as creating or implying a joint venture, partnership, agency or employment relationship between the Member and United or its affiliates.
11. Information a Member receives or collects about United or its affiliates or Members through the Program, whether in oral, visual, written or electronic format, may be deemed proprietary and confidential ("Confidential Information"). For purposes of the Program, information and/or material shall be deemed "Confidential Information" if such information and/or material is otherwise not generally available to the public, or given the nature of the information or material, a reasonable person would consider such information and/or material "confidential" or "proprietary."
12. Confidential Information must be kept confidential and only used in connection with the Program. Confidential Information may not be disclosed or distributed without United's prior written consent.
13. A Member agrees to defend, indemnify and hold harmless United and its affiliates and the officers, directors, agents, employees and vendors of United and its affiliates from any claim or demand (including attorneys' fees) made or incurred by any third party due to or arising out of participation in the Program, breach of the Rules or improper use of the Program.
14. The Program and the issuance and use of awards may be prohibited or restricted by the laws in some non-U.S. countries. Nothing in these Rules should be read to override or circumvent any such non-U.S. laws. United may exercise any one or more of United’s Remedies, with or without notice to the Member, in the event the Program, or a Member’s participation in any way in the Program, violates non-U.S. laws.

     

    Vulnerabilities

15. Vulnerabilities or potential Vulnerabilities discovered may not at any time be disclosed publicly or to a third-party. Doing so will disqualify the Member from receiving miles.
16. Vulnerabilities must be new discoveries and award miles will be provided only to the first Member who submits a particular Vulnerability and must comport with the specifications set forth by United from time to time on the Program site.
17. Vulnerabilities must be submitted through the submission portal (or other method as designated from time to time by United) and include the Member's legal name, MileagePlus number and phone number as well as a thorough description of the Vulnerability and supporting evidence.
18. The determination of the validity and severity of a Vulnerability is entirely within United's discretion.
19. A Member must not knowingly or intentionally access or acquire the personal information of any United customer, Member or other individual. In the event a Member inadvertently accesses or acquires the personal information of any United customer, Member or other individual, the Member must immediately cease the affecting activity, document steps to replicate and notify United as soon as possible.
20. The Member submitting the Vulnerability must not be the author of the vulnerable code.
21. A Member shall not at any time:
    • attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of United services;
    • attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of United accounts that are not the Member's;
    • attempt any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi;
    • attempt to target United employees or customers, including social engineering attacks, phishing attacks or physical attack;
    • perform physical attacks against United airport facilities; or
    • use automated scanners/tools.

    Award Miles

22. Award miles may be earned once for each qualifying Vulnerability submitted. All Vulnerabilities must pose a security threat in order to be eligible for award miles.
23. The current award miles issued per Vulnerability by severity may be posted on the Program website from time to time. In some cases, depending upon the circumstances, multiple submissions from one Member may be deemed one Vulnerability in United's sole discretion.
24. A Vulnerability may be subject to a maximum number of award miles in United's sole discretion.
25. United will provide award miles for each qualifying Vulnerability once the Vulnerability has been validated and confirmed.
26. No one Vulnerability will receive more than one million miles except where expressly allowed by United.
27. Award miles offered under this Program are not Premier® qualifying miles.
28. United reserves the right to adjust a Member’s account balance if mileage was deposited in error.

     

    Privacy Policy

29. By participating in the Program, Members authorize United to collect, maintain, use, process and share their information, including, without limitation, names, email addresses, physical addresses, account and other information in accordance with United’s Privacy Policy. You can learn more about how United collects, maintains, uses, processes and shares your information in United’s Privacy Policy which may be viewed at https://www.united.com/ual/en/us/fly/privacy.html. United's Privacy Policy is merely a statement of administrative protocol; it is not a contract, nor does it create any contractual or legal rights. United’s Privacy Policy is not made, or intended to be made, a part of these Rules.