top | item 19300034

(no title)

Gasparila | 7 years ago

I had one experience reporting a security vulnerability to United's bug bounty program and never want to do it again. I reported an issue to that I could reset anybody's MileagePlus number by only guessing a multiple choice security question ("what is your favorite sport", etc), bypassing any email confirmation or anything like that. After 3 months of back and forth with their security team, they released an Android update that patched the issue. I was then told "It turns out this fix was pushed by the QA team and was actually unrelated to your Bug Bounty submission" and that my submission was ineligible. At least they have a program I guess?

discuss

jrootabega|7 years ago

Thanks for sharing your experience. No one wants innocent peoples' data to be compromised, but maybe your story will do something to discourage others from participating, and United will feel the consequences as a result. Having a bug bounty program is one thing; standing behind it is another. Is there a ranking of bug bounty programs in terms of ease of use, good faith, etc?

tapland|7 years ago

It's never good to have bugs in the wild that could risk customer information. I want to see United shape up, but I don't want regular guys to suffer for it.