A security researcher has earned the equivalent of a first-class, round-the-world trip after he submitted what he thought were a couple of "lame" bugs to United's new bug bounty program. In an industry first, United announced a bounty in May that rewards miles to anyone who identifies a bug on its website. There are 10 bug classes eligible: Cross-site scripting bugs, for example, are worth 50,000 miles, while authentication bypass bugs earn 250,000. While "passively poking the site," Jordan Wiens, founder of a Florida security company, says he found what he thought were two remote code execution bugs, which allow a hacker to run their own potentially dangerous code on a site. "I also thought they were lame and wasn't sure if they were on parts of the infrastructure that qualified," he tells Threatpost. "I figured they'd award me 50,000 miles or something smaller."
It turns out RCE bugs earn the highest payout: a maximum 1 million miles. After making his submission to United—his first to a bounty program, he says—Wiens got an email asking for confirmation that he was a US citizen and that his six hours of research was completed in the US. "Two hours later, I got a message to check my account that I had gotten my million miles," he says. Wiens, who can't share details of the bug, says the miles are worth $25,000 and could take him on a first-class trip around the world or on 40 domestic round-trip flights in coach. His plan is to use the miles on coach trips for his family, plus one luxurious flight with his wife, he tells Fox 13. Wired reports Wiens' award is the program's first major payout. Other security researchers have since shared their awards on Twitter. One says he nabbed 500,000 miles. (Speaking of planes, a "horrible" and "evil" new seat design has been revealed.)