Forget credit cards. Earn up to 1M miles by hacking United!

United Airlines unveiled a revolutionary (no, really) way to earn miles through its “Bug Bounty” program. Okay, so I guess it’s more like discovering vulnerabilities to prevent United Airlines from getting hacked, but it’s an interesting concept nonetheless.

Please do not “hack” United Airlines or they will probably sue you.

According to United’s new Bug Bounty page (which is sadly still on United’s Web 1.0 site), you can now earn miles by giving bugbounty@united.com a heads-up on any of the following:

• Authentication bypass
• Bugs on customer-facing websites such as:
  • united.com
  • beta.united.com
  • mobile.united.com
• Bugs on the United app
• Bugs in third-party programs loaded by united.com or its other online properties
• Cross-site request forgery
• Cross-site scripting (XSS) – My computer-savvy friends tell me this is a fairly easy way to get 50k miles. Is it? 
• Potential for information disclosure
• Remote code execution
• Timing attacks that prove the existence of a private repository, user or reservation
• The ability to brute-force reservations, MileagePlus numbers, PINs or passwords

How many miles you ask? Well, United has provided a handy-dandy hacker rewards chart that outlines the maximum bounty by severity of the bug:

Just be sure to avoid doing all of the following, which are definite no-no’s in United’s IT book (and could have the FBI knocking on your door):

• Brute-force attacks
• Code injection on live systems
• Disruption or denial-of-service attacks
• The compromise or testing of MileagePlus accounts that are not your own
• Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
• Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
• Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
• Vulnerability scans or automated scans on United servers

At the end of the day, United Airlines is outsourcing expensive computer security services to flyers who’d rather earn 1,000,000 miles instead of, let’s say, 1,000,000 dollars. It’s a bit ticky-tacky to be sure, but you got to hand it to United: it sure is innovative. Now when was the last time we could say that about them?

Read more about United’s Bug Bounty program at United.com and Wired.