The Washington PostDemocracy Dies in Darkness

Why United Airlines is rewarding hackers with millions of free miles

In this Saturday, Dec. 21, 2013, file photo, travelers check in at the United Airlines ticket counter at Terminal 1 in O'Hare International Airport in Chicago. United in May started rewarding hackers who discovered and reported software defects in the airline's system with miles of free air travel. (AP Photo/Nam Y. Huh, File)
Placeholder while article actions load

What would you do with 1 million frequent flyer miles?

Two hackers are about to find out. United Airlines confirmed Thursday it had rewarded two people with 1 million free miles of air travel each for discovering and disclosing software defects through the airlines "bug bounty" program. (With those 1 million miles, they could fly from the continental United States to Europe 33 times.)

The "bug bounty" program -- so named because it offers bounties for the detection of software defects -- is the first of its kind in the transportation industry, United claims.

Such programs have become increasing popular with technology companies. Finding a problem with Facebook's site will net you a minimum reward of $500, while Twitter will hand over at least $250.

Now security experts say as companies grow increasingly automate critical functions and the risks of cyber breaches grows, the practice is spreading outside the tech field.

"I think software is being increasingly built into things we use in our daily lives," said Harlan Yu, principal at technology firm Upturn. "As things get increasingly automated all around us, software is all around us and software bugs are all around us."

United, the nation's second-largest airline, began the program just weeks before software glitches grounded the airline's fleet twice. On June 2, 150 United flights were delayed for nearly an hour because of a problem with the airline's flight dispatching system.

On July 8, the same day unrelated technical problems caused the New York Stock Exchange to halt trading and the Wall Street Journal's Web site to crash, United's reservation system malfunctioned for two hours and did not allow passengers to check in for their flights.

Trade organization Airlines for America said in a statement it was not aware of other airlines seeking help from the public for their cyber security needs.

“Airlines take their customers’ privacy seriously and take all necessary precautions to keep passenger data secure," it said in the statement. "Most, if not all, airlines have internal programs whereby they continuously check their systems and have teams that conduct intrusion systems checks."

United Airlines announced its program in May, pledging to give hackers between 50,000 and 1 million miles of free air travel for identifying and reporting bugs within the company's software. (Tips or questions about the program can be sent to

"We are committed to protecting our customers' privacy and the personal data we receive from them," United said in a statement posted on its Web site. "We believe that this [bounty] program will further bolster our security and allow us to continue to provide excellent service."

United declined to release the names of the two people who earned 1-million-mile rewards.

But Jordan Wiens, a researcher with cyber security firm Velocity35, tweeted last week that United granted him the largest bug bounty reward.

Wiens did not respond to an interview request.