At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers' privacy and the personal data we receive from them, which is why we are offering a bug bounty program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential security bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we’ll gladly reward you for your time and effort.
Before reporting a security bug, please review the "United Terms." By participating in the bug bounty program, you agree to comply with these terms.
What is a bug bounty program?
A bug bounty program permits independent researchers to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.
To ensure that submissions and payouts are fair and relevant, the following eligibility requirements and guidelines apply to all researchers submitting bug reports:
- All bugs must be new discoveries. Award miles will be provided only to the first researcher who submits a particular security bug.
- The researcher must be a MileagePlus member in good standing. If you’re not yet a member, join the MileagePlus program now.
- The researcher must not reside in a country currently on a United States sanctions list.
- The researcher submitting the bug must not be an employee of United Airlines, any Star Alliance™ member airline or any other partner airline, or a family member or household member of an employee of United Airlines or any partner airline.
- The researcher submitting the bug must not be the author of the vulnerable code.
Bugs that are eligible for submission:
- Authentication bypass
- Bugs on United-operated, customer-facing websites such as:
- Bugs on the United app
- Bugs in third-party programs loaded by united.com or its other online properties
- Cross-site request forgery
- Cross-site scripting (XSS)
- Potential for information disclosure
- Remote code execution
- Timing attacks that prove the existence of a private repository, user or reservation
- The ability to brute-force reservations, MileagePlus numbers, PINs or passwords (Note: While we accept bug reports on the ability to conduct brute-force attacks, we do not allow execution of brute-force attacks on other users. Please see the “Do not attempt” section. If you believe you have found a method to conduct a brute-force or code injection attack, please report it to us without testing it.)
Bugs that are not eligible for submission:
- Bugs that only affect legacy or unsupported browsers, plugins or operating systems
- Bugs on internal sites for United employees or agents (not customer-facing)
- Bugs on partner or third-party websites or apps such as:
- Bugs on onboard Wi-Fi, entertainment systems or avionics
- Insecure cookie settings for non-sensitive cookies
- Previously submitted bugs
- Self-cross-site scripting
- Vulnerabilities that apply only to you or your own account
Do not attempt:
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other United customers.
- Brute-force attacks
- Code injection on live systems
- Disruption or denial-of-service attacks
- The compromise or testing of MileagePlus accounts that are not your own
- Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
- Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
- Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
- Vulnerability scans or automated scans on United servers (including scans using tools such as Acunetix, Core Impact or Nessus)
If you have discovered a security bug that meets the requirements, and you’re the first eligible researcher to report it, we will gladly reward you for your efforts. Below is our bounty payout structure, which is based on the severity and impact of bugs.
Bug Bounty payout structure
||Maximum payout in award miles
- Authentication bypass
- Brute-force attacks
- Potential for personally identifiable information (PII) disclosure
- Timing attacks
- Cross-site scripting
- Cross-site request forgery
- Third-party security bugs that affect United
If you think you have discovered an eligible security bug, we would love to work with you to resolve it.
- Please email us at firstname.lastname@example.org and include "Bug Bounty Submission" in the subject line.
- Within the body of the email, please describe the nature of the bug along with any steps required to replicate it, as well as pertinent applications, programs or tools used to discover the bug and the date and time testing took place.
- Include your legal name, MileagePlus number, phone number and IP address at time of testing with your submission.
- A drafted report including legible screenshots is greatly appreciated.
Please feel free to reach out to us at email@example.com with any questions regarding the bug bounty program. We receive a lot of submissions through this program, so we may not be able to reply to your email right away, but we’ll respond as soon as possible. We look forward to hearing from you.
- Terms and conditions
- By participating, you agree to comply with the United Terms.
- The Program is not a game or competition, but rather an experimental and discretionary reward program. Offer is valid for qualified "Bugs" submitted on or after May 11, 2015. We may cancel the Program at any time and the decision as to whether or not to pay award miles is entirely within United's discretion.
- The United "Bug Bounty" offer is open only to United MileagePlus members who are 14 years of age or older at time of submission. Offer is void where prohibited and subject to all laws. Employees, officers and directors (and their respective immediate family members (spouse, parents, siblings, children) or household members (whether or not related)) of United Airlines, Inc. or its parent(s), subsidiaries, affiliated companies, agents, or contractors, and anyone who participates in the administration of the Bug Bounty program are not eligible.
- Bugs must be submitted to firstname.lastname@example.org and include the researcher's legal name, MileagePlus number and phone number as well as a thorough description of the Bug and supporting evidence.
- Bugs must be new discoveries. Award miles will be provided only to the first eligible researcher to submit a particular Bug.
- In event of disclosure of PII other than your own test account, please cease the affecting activity and document steps to replicate as soon as possible.
- The researcher submitting the Bug must not be the author of the vulnerable code.
- Bugs or potential Bugs you discover may not at any time be disclosed publicly or to a third-party. Doing so will disqualify you from receiving award miles.
- You must not knowingly or intentionally access or acquire the personal information of any United customer or member. In the event it is determined you knowingly or intentionally accessed the personal information of any United customer or member, you will become immediately ineligible to participate in this Program. In the event you inadvertently access or acquire the personal information of any United customer or member, you must immediately cease all activity.
- Award miles may be earned once for each qualifying Bug submitted. You can earn award miles an unlimited number of times in accordance with these terms and conditions.
- You are responsible for any tax implications that apply based on your country of residency and citizenship.
- United will provide a payout for each qualifying Bug once it has been remediated. Our desired timeframe to remediate each valid submission is within 90 days following the confirmation of each qualifying Bug.
- Neither your Participation in the Program nor anything contained in the United Terms shall be construed as creating or implying a joint venture, partnership, agency or employment relationship between you and United or its affiliates.
- Information you receive or collect about United or its affiliates or members through the Program, whether in oral, visual, written or electronic format, may be deemed proprietary and confidential ("Confidential Information"). For purposes of the Program, information and/or material shall be deemed "Confidential Information" if such information and/or material is otherwise not generally available to the public, or given the nature of the information or material, a reasonable person would consider such information and/or material "confidential" or "proprietary."
- Confidential Information must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information without United's prior written consent.
- You agree to defend, indemnify and hold harmless United and its affiliates and the officers, directors, agents, employees and vendors of United and its affiliates from any claim or demand (including attorneys' fees) made or incurred by any third party due to or arising out of your participation in the Program, your breach of the United Terms or your improper use of the Program.
- Award miles offered under this Program are not Premier® qualifying miles.
- Offer is subject to change without notice. Other restrictions may apply.
- Miles accrued, awards, and benefits issued are subject to change and are subject to the rules of the United MileagePlus program, including without limitation the Premier® program, which are expressly incorporated herein. United may change the MileagePlus Program including, but not limited to, rules, regulations, travel awards and special offers or terminate the MileagePlus Program at any time and without notice. United and its subsidiaries, affiliates and agents are not responsible for any products or services of other participating companies and partners. Taxes and fees related to award travel are the responsibility of the member. Bonus award miles, award miles and any other miles earned through non-flight activity do not count toward qualification for Premier status unless expressly stated otherwise. The accumulation of mileage or Premier status or any other status does not entitle members to any vested rights with respect to the MileagePlus Program. All calculations made in connection with the United MileagePlus Program and/or the Premier Program, including without limitation the accumulation of mileage and the satisfaction of the qualification requirements of the Premier Program, and/or the revisions of calculations (including any estimates), will be made by United Airlines and MileagePlus in their discretion and such calculations will be considered final. Information in this communication that relates to the MileagePlus Program does not purport to be complete or comprehensive and may not include all of the information that a member may believe is important, and is qualified in its entirety by reference to all of the information on the united.com website and the MileagePlus Program rules. United and MileagePlus are registered service marks. For complete details about the MileagePlus Program, go to united.com/MileagePlus