Bug Bounties Work... If the Price Is Right
In May, United Airlines announced that it would pay out a million frequent-flyer miles to anyone who discovered a remote code execution bug in its websites or apps. Two tech pros have earned those million-mile payouts, according to United, although it declined to confirm whether other code-pickers had landed its smaller mileage awards. The airline offers a quarter-million frequent-flyer miles to any programmer who discovers vulnerabilities in its systems that could lead to brute-force attacks, authentication bypass, timing attacks, or personally identifiable information (PII) disclosure. Check out the latest quality assurance jobs. Earlier in July, a computer glitch grounded United’s entire fleet for hours. At the time, company spokespeople blamed the issue on a failed network router, but not before the Internet buzzed merrily about the possibility of a hack. Whatever the cause, the outage highlighted the need for large companies to eliminate as many critical vulnerabilities from their backend systems as humanly possible, or run the risk of embarrassing incidents. United’s announcement also suggests that paying tech pros to poke through your system really will yield results—provided the rewards are high enough. But can a bug bounty program (no matter how well-funded) discover all the potential weaknesses in any given system?