United Airlines vulnerability disclosure program

At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers' privacy and the personal data we receive from them, which is why we offer a vulnerability disclosure program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential vulnerability that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort.

Before reporting a security vulnerability, please review the "United Terms". By participating in the vulnerability disclosure program, you agree to comply with these terms and the requirements and guidelines included here.

What is a vulnerability disclosure program?

A vulnerability disclosure program permits independent researchers to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a vulnerability.

Eligibility requirements

To ensure that submissions and payouts are fair and relevant, the researcher and the vulnerability must be eligible according the United disclosure program terms, including, but not limited to, the following requirements:

  • All vulnerabilities must be new discoveries. Award miles will be provided only to the first researcher who submits a particular vulnerability.
  • The researcher must be a MileagePlus® member in good standing of at least 18 years of age. If you're not yet a member, join the MileagePlus program now.
  • The researcher must not reside in a country currently on a United States sanctions list.
  • The researcher submitting the vulnerability must not be a current or former employee of United Airlines, any Star Alliance™ member airline or any other partner airline, a contractor of United Airlines, or a family member or household member of an employee of United Airlines or any partner airline.
  • The researcher submitting the vulnerability must not be the author of or have any prior affiliation with the vulnerable code.

Target information

United may determine from time to time what constitutes an eligible vulnerability. Below is a summary of all the targets for which United will review vulnerability submissions:

  • United Airlines commercial website (united.com)
  • United iOS and Android apps
  • United MileagePlus X iOS and Android Apps
    • The MileagePlus X iOS application can be downloaded from the Apple App Store.
    • The MileagePlus X Android application can be downloaded from the Google Play Store.

Below you can find the in-scope and out-of-scope targets for the vulnerability disclosure program.

In-scope

  • *.united.com - Website testing
  • United Mobile App for iOS - Mobile testing
  • United Mobile App for Android - Mobile testing
  • MileagePlus X App for iOS - Mobile testing
  • MileagePlus X App for Android - Mobile testing

Out-of-scope

United uses many multiple 3rd party sites/services which are considered out of scope for this program. Additionally, the scope list is subject to change. The following targets are considered out-of-scope:

  • Onboard Wi-Fi, entertainment systems or avionics
  • Corporate email
  • 3rd party applications/services
  • Non-production environments
  • hotels.united.com
  • vacations.united.com
  • united.jobs
  • newsroom.united.com
  • ir.united.com
  • hub.united.com
  • jobs.united.com
  • opinions.united.com
  • globallinks.united.com
  • dutyfree.united.com
  • bigmetalbird.united.com
  • globalservices.united.com
  • uatp.united.com
  • thanksamillion.united.com
  • unitedmileageplus.com
  • secure.unitedmileageplus.com
  • newspaper-miles.com
  • *.ual.com
  • *.mileageplus.com
  • cruises.united.com
  • ualmiles.com
  • unitedshop.summitmg.com
  • united-veterans.jobs
  • clubconferencerooms.united.com/unit
  • theexplorercard.com
  • mpclubcard.com
  • myexplorercard.com
  • unitedexplorecard.com
  • unitedexplorer.com
  • unitedexplorercard.com
  • mileageplusawards.com
  • mpdining.rewardsnetwork.com
  • m.mpdining.rewardsnetwork.com
  • news.united.com/responsys
  • survey.continental.com/vovici.net
  • booking.unitedcargo.com
  • chargerback.com

Rules of engagement

  • Provide details of the vulnerability finding, including information needed to reproduce and validate the vulnerability using the submission form.
  • All vulnerabilities must pose a security threat in order to be eligible for a reward. United is ultimately responsible for determining the severity of an issue.
  • Vulnerabilities or potential vulnerabilities you discover may not at any time be disclosed publicly or to a third-party. Doing so will disqualify you from receiving award miles.
  • Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of United services.
  • Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of United accounts that are not your own.
  • Do not attempt any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi.
  • Do not attempt to target United employees or customers using methods, including social engineering attacks, phishing attacks or physical attacks.
  • Do not perform physical attacks against United airport facilities.
  • Do not use automated scanners/tools.

Vulnerabilities that are eligible for submission:

  • Remote code execution
  • SQL injection
  • XXE
  • XSS
  • Server-side request forgery
  • Directory traversal - local file inclusion
  • Authentication/authorization bypass (broken access control)
  • Privilege escalation
  • Insecure direct object reference
  • Misconfiguration
  • Web cache deception
  • CORS misconfiguration
  • CRLF injection
  • Cross site request forgery
  • Open redirect
  • Information disclosure
  • Request smuggling
  • Mixed content

Vulnerabilities that are not eligible for submission:

  • Security best practices i.e. security headers, etc.
  • Social engineering, phishing
  • Physical attacks
  • Missing cookie flags
  • CSRF with minimal impact i.e. login CSRF, logout CSRF, etc.
  • Content spoofing
  • Stack traces, path disclosure, directory listings
  • SSL/TLS best practices
  • Banner grabbing
  • CSV injection
  • Reflected file download
  • Reports on out-of-date browsers
  • DOS/DDOS
  • Host header injection without a demonstrable impact
  • Scanner Outputs
  • Vulnerabilities on third-party products
  • User enumeration
  • Password complexity
  • HTTP trace method
  • DMARC
  • Clickjacking
  • SPF record
  • Insufficient anti-automation
  • Rate-limiting attacks
  • Self-XSS

Severity of the vulnerabilities reported

The reward for disclosing an eligible vulnerability may vary depending on the severity of the vulnerability. The United Security team will determine the severity of the vulnerability after reviewing the submission, using a combination of the Common Vulnerability Scoring System (CVSS) and OWASP Risk Rating Methodology. Researchers will be paid out upon successful validation of their submission.  Several submissions may be considered one vulnerability at United's discretion. 

Maximum payout in award miles according to vulnerability severity

Maximum payout in award miles according to vulnerability severity
Severity Maximum payout in award miles
Critical 1,000,000 miles
High 500,000 miles
Medium 250,000 miles
Low 50,000 miles
Informational 0 miles

Maximum payout in award miles according to vulnerability severity

Maximum payout in award miles

1,000,000 miles

Maximum payout in award miles

500,000 miles

Maximum payout in award miles

250,000 miles

Maximum payout in award miles

50,000 miles

Maximum payout in award miles

0 miles

Submissions

Please submit a report to the United vulnerability disclosure program by confirming that you understand and accept the policy and terms and conditions, and by using the submission form included here.

  • Rules for the United Airlines Vulnerability Disclosure Program

    Important: The following rules, the United Privacy Policy and the MileagePlus Program Rules constitute the rules and other provisions (collectively, “Rules”) of the United Airlines Vulnerability Disclosure program (the "Program"). By participating in the Program, you indicate your acceptance of these Rules and agree to abide by them. It is your responsibility to read and understand all of the Rules. These Rules can be supplemented by the Program site but cannot be superseded or changed, except in writing from United Airlines or any of its affiliates (collectively, "United"). The most current Rules may be found on united.com and this is the final authority on the Rules. The Rules on united.com shall be deemed to supersede any prior or conflicting versions thereof.

    General conditions

    1. The Program is offered at the discretion of United and United has the right to terminate the Program, in whole or in part, or to change the Rules, benefits, conditions of participation, qualification criteria or award levels, in whole or in part, at any time, with or without notice.
    2. United shall determine what constitutes a vulnerability ("Vulnerability" or "Vulnerabilities") and establish the criteria and process for Vulnerability submission and the benefits associated therewith and may post such criteria and process on the Program site from time to time.
    3. The Rules control your participation in the Program and no covenants at law or in equity shall be implied or incorporated, all of which are expressly disclaimed. United has the sole right to interpret and apply the Rules. IN NO EVENT SHALL UNITED BE LIABLE TO A MEMBER, OR ANYONE ACTING ON THE MEMBER’S BEHALF, FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL DAMAGES, INCLUDING LOST REVENUE OR PROFITS, ARISING OUT OF THE ACTS OR OMISSIONS OF UNITED IN CONNECTION WITH THE PROGRAM, OR COSTS OR ATTORNEYS’ FEES. Any abuse of the Program or failure to follow the Rules, any violation of law, rule, or regulation, any conduct detrimental to the interests of United, any fraudulent activity or attempted fraudulent activity, any dissemination of information designed to defraud United, or any misrepresentation of any information furnished to United or its affiliates by any Member, anyone else acting on the Member's behalf, or any third party (collectively, “Prohibited Conduct”), may result in United exercising any one or more of the following remedies (“United’s Remedies”), with or without notice to the Member: (a) the termination by United of such Member’s membership in MileagePlus (including without limitation any Premier or Million Miler status, if applicable), (b) the removal or cancellation by United of any or all accrued mileage, Premier Qualifying Credits, lifetime miles, and any pending or outstanding award redemptions, certificates, or benefits (including without limitation any benefits associated with Premier (and/or Million Miler) status, if applicable), (c) the confiscation of any award tickets, denial of boarding with respect to any award ticket holders or, at United's discretion, completion of the travel only upon payment of an applicable revenue fare (and applicable taxes and fees), or (d) the loss of other Program and MileagePlus Program `benefits. In addition to the foregoing United’s Remedies, United may, upon written request, require the Member to repay the value, as determined by United, of the awards redeemed, certificates or benefits acquired as a result of Prohibited Conduct and, in the event of a Member’s failure to repay, may initiate legal action to recoup the value of awards redeemed, certificates or benefits acquired by the Member through Prohibited Conduct. A "Member" is a United MileagePlus member.
    4. In the event United suspects Prohibited Conduct, United reserves the right, with or without notice to the Member, (a) to delay or suspend all activity (including without limitation any mileage redemption activity and processing of any mileage redemption requests for any awards, certificates or benefits, including without limitation any Premier (and/or Million Miler) status benefits) in any MileagePlus account, and (b) to audit or investigate any MileagePlus account at any time. During the course of an audit or investigation, a Member’s account information may be shared with any third party with whom United has contracted to assist in performing such audit or investigation. While the account is suspended, the Member may continue to accrue miles and Premier Qualifying Credits in the account, but no mileage redemptions or other transactions will be permitted and any outstanding award redemptions, certificates and benefits (including without limitation any Premier (and/or Million Miler) status benefits, if applicable) will be subject to cancellation or suspension. Cancelled award redemptions, certificates and benefits must be surrendered to United upon United’s request. Upon completion of the audit or investigation, if Prohibited Conduct has been detected by United, United may exercise any one or more of United’s Remedies or any other remedies available at law or in equity.
    5. The Program is not a game, competition or loyalty program.
    6. All calculations made in connection with the Program, including without limitation, the eligibility and severity of a Vulnerability and the associated award miles will be made by United in its discretion and such calculations will be considered final.
    7. The Program is open only to Members who are eighteen (18) years of age or older at time of submission and are not residents of any country on the current United States sanctions list. Current or former employees, officers and directors (and their respective immediate family members (spouse, parents, siblings, children) or household members (whether or not related)) of United Airlines, Inc. or its parent(s), subsidiaries, affiliated companies and any Star Alliance™ member airline or any other partner airline, agents, or contractors, and anyone who participates in the administration of the Program are not eligible.
    8. Neither United’s waiver or consent to a deviation from the Rules nor any course of dealing shall be construed as a waiver by United of any subsequent violation of the Rules and United may invoke United’s Remedies for a violation of the Rules despite any such prior waiver or consent.
    9. Members may be required to supply a password and/or other security measures when conducting certain transactions in writing, by phone or on the internet for security or other purposes. Members are responsible for maintaining the confidentiality of their password and other security credentials, as applicable.
    10. Neither participation in the Program nor anything contained in these Rules shall be construed as creating or implying a joint venture, partnership, agency or employment relationship between the Member and United or its affiliates.
    11. Information a Member receives or collects about United or its affiliates or Members through the Program, whether in oral, visual, written or electronic format, may be deemed proprietary and confidential ("Confidential Information"). For purposes of the Program, information and/or material shall be deemed "Confidential Information" if such information and/or material is otherwise not generally available to the public, or given the nature of the information or material, a reasonable person would consider such information and/or material "confidential" or "proprietary."
    12. Confidential Information must be kept confidential and only used in connection with the Program. Confidential Information may not be disclosed or distributed without United's prior written consent.
    13. A Member agrees to defend, indemnify and hold harmless United and its affiliates and the officers, directors, agents, employees and vendors of United and its affiliates from any claim or demand (including attorneys' fees) made or incurred by any third party due to or arising out of participation in the Program, breach of the Rules or improper use of the Program.
    14. The Program and the issuance and use of awards may be prohibited or restricted by the laws in some non-U.S. countries. Nothing in these Rules should be read to override or circumvent any such non-U.S. laws. United may exercise any one or more of United’s Remedies, with or without notice to the Member, in the event the Program, or a Member’s participation in any way in the Program, violates non-U.S. laws.

       

      Vulnerabilities

    15. Vulnerabilities or potential Vulnerabilities discovered may not at any time be disclosed publicly or to a third-party. Doing so will disqualify the Member from receiving miles.
    16. Vulnerabilities must be new discoveries and award miles will be provided only to the first Member who submits a particular Vulnerability and must comport with the specifications set forth by United from time to time on the Program site.
    17. Vulnerabilities must be submitted through the submission portal (or other method as designated from time to time by United) and include the Member's legal name, MileagePlus number and phone number as well as a thorough description of the Vulnerability and supporting evidence.
    18. The determination of the validity and severity of a Vulnerability is entirely within United's discretion.
    19. A Member must not knowingly or intentionally access or acquire the personal information of any United customer, Member or other individual. In the event a Member inadvertently accesses or acquires the personal information of any United customer, Member or other individual, the Member must immediately cease the affecting activity, document steps to replicate and notify United as soon as possible.
    20. The Member submitting the Vulnerability must not be the author of the vulnerable code.
    21. A Member shall not at any time:
      • attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of United services;
      • attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of United accounts that are not the Member's;
      • attempt any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi;
      • attempt to target United employees or customers, including social engineering attacks, phishing attacks or physical attack;
      • perform physical attacks against United airport facilities; or
      • use automated scanners/tools.

      Award Miles

    22. Award miles may be earned once for each qualifying Vulnerability submitted. All Vulnerabilities must pose a security threat in order to be eligible for award miles.
    23. The current award miles issued per Vulnerability by severity may be posted on the Program website from time to time. In some cases, depending upon the circumstances, multiple submissions from one Member may be deemed one Vulnerability in United's sole discretion.
    24. A Vulnerability may be subject to a maximum number of award miles in United's sole discretion.
    25. United will provide award miles for each qualifying Vulnerability once the Vulnerability has been validated and confirmed.
    26. No one Vulnerability will receive more than one million miles except where expressly allowed by United.
    27. Award miles offered under this Program are not Premier® qualifying miles.
    28. United reserves the right to adjust a Member’s account balance if mileage was deposited in error.

       

      Privacy Policy

    29. By participating in the Program, Members authorize United to collect, maintain, use, process and share their information, including, without limitation, names, email addresses, physical addresses, account and other information in accordance with United’s Privacy Policy. You can learn more about how United collects, maintains, uses, processes and shares your information in United’s Privacy Policy which may be viewed at https://www.united.com/ual/en/us/fly/privacy.html. United's Privacy Policy is merely a statement of administrative protocol; it is not a contract, nor does it create any contractual or legal rights. United’s Privacy Policy is not made, or intended to be made, a part of these Rules.