submit bug report:http://united.comUnited Airlines vulnerability disclosure program
At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers' privacy and the personal data we receive from them, which is why we offer a vulnerability disclosure program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential vulnerability that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort.
Before reporting an issue, please review the "United Terms." By participating in the vulnerability disclosure program, you agree to comply with these terms and the requirements and guidelines included here.
What is a vulnerability disclosure program?
A vulnerability disclosure program permits independent researchers to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a vulnerability.
Eligibility requirements
To ensure that submissions and payouts are fair and relevant, the researcher and the vulnerability must be eligible according the United disclosure program terms, including, but not limited to, the following requirements:
All vulnerabilities must be new discoveries. Award miles will be provided only to the first researcher who submits a particular vulnerability.
The researcher must be a MileagePlus® member in good standing of at least 18 years of age. If you're not yet a member, join the MileagePlus program now.
The researcher must not reside in a country currently on a United States sanctions list.
The researcher submitting the vulnerability must not be a current or former employee of United Airlines, any Star Alliance™ member airline or any other partner airline, a contractor of United Airlines, or a family member or household member of an employee of United Airlines or any partner airline.
The researcher submitting the vulnerability must not be the author of or have any prior affiliation with the vulnerable code.
Target information
United may determine from time to time what constitutes an eligible vulnerability. Below is a summary of all the targets for which United will review vulnerability submissions:
United Airlines commercial website (united.com)
United iOS and Android apps
The United iOS application can be downloaded from the Apple App Store
The United Android application can be downloaded from the Google Play Store
United MileagePlus X iOS and Android Apps
The MileagePlus X iOS application can be downloaded from the Apple App Store
The MileagePlus X Android application can be downloaded from the Google Play Store Below you can find the in-scope and out-of-scope targets for the vulnerability disclosure program.
In-Scope
*.united.com - Website testing
United Mobile App for iOS - Mobile testing
United Mobile App for Android - Mobile testing
MileagePlus X App for iOS - Mobile testing
MileagePlus X App for Android - Mobile testing
Out-of-Scope
United uses many multiple 3rd party sites/services which are considered out of scope for this program. Additionally, the scope list is subject to change. The following targets are considered out-of-scope:
Onboard Wi-Fi, entertainment systems or avionics
Corporate email
3rd party applications/services
Non-production environments
hotels.united.com
vacations.united.com
united.jobs
newsroom.united.com
ir.united.com
hub.united.com
jobs.united.com
opinions.united.com
globallinks.united.com
dutyfree.united.com
bigmetalbird.united.com
globalservices.united.com
uatp.united.com
thanksamillion.united.com
unitedmileageplus.com
secure.unitedmileageplus.com
newspaper-miles.com
*.ual.com
*.mileageplus.com
cruises.united.com
ualmiles.com
unitedshop.summitmg.com
united-veterans.jobs
clubconferencerooms.united.com/unit
theexplorercard.com
mpclubcard.com
myexplorercard.com
unitedexplorecard.com
unitedexplorer.com
unitedexplorercard.com
mileageplusawards.com
mpdining.rewardsnetwork.com
m.mpdining.rewardsnetwork.com
news.united.com/responsys
survey.continental.com/vovici.net
booking.unitedcargo.com
chargerback.com
Rules of engagement
Provide details of the vulnerability finding, including information needed to reproduce and validate the vulnerability using the submission form.
All vulnerabilities must pose a security threat in order to be eligible for a reward. United is ultimately responsible for determining the severity of an issue.
Vulnerabilities or potential vulnerabilities you discover may not at any time be disclosed publicly or to a third-party. Doing so will disqualify you from receiving award miles.
Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of United services.
Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of United accounts that are not your own.
Do not attempt any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi.
Do not attempt to target United employees or customers using methods, including social engineering attacks, phishing attacks or physical attacks.
Do not perform physical attacks against United airport facilities.
Do not use automated scanners/tools.
Vulnerabilities that are elegible for submission:
Remote code execution
SQL injection
XXE
XSS
Server-side request forgery
Directory traversal - local file inclusion
Authentication/authorization bypass (broken access control)
Privilege escalation
Insecure direct object reference
Misconfiguration
Web cache deception
CORS misconfiguration
CRLF injection
Cross site request forgery
Open redirect
Information disclosure
Request smuggling
Mixed content
Vulnerabilities that are not elegible for submission:
Security best practices i.e. security headers, etc.
Social engineering, phishing
Physical attacks
Missing cookie flags
CSRF with minimal impact i.e. login CSRF, logout CSRF, etc.
Content spoofing
Stack traces, path disclosure, directory listings
SSL/TLS best practices
Banner grabbing
CSV injection
Reflected file download
Reports on out-of-date browsers
DOS/DDOS
Host header injection without a demonstrable impact
Scanner Outputs
Vulnerabilities on third-party products
User enumeration
Password complexity
HTTP trace method
DMARC
Clickjacking
SPF record
Insufficient anti-automation
Rate-limiting attacks
Self-XSS
Severity of the vulnerabilities reported
The reward for disclosing an eligible vulnerability may vary depending on the severity of the vulnerability. The United Security team will determine the severity of the vulnerability after reviewing the submission, using a combination of the Common Vulnerability Scoring System (CVSS) and OWASP Risk Rating Methodology. Researchers will be paid out upon successful validation of their submission. Several submissions may be considered one vulnerability at United's discretion.
Maximum payout in award miles according to vulnerability severity
Severity Maximum payout in award miles
Critical 1,000,000
High 500,000
Medium 250,000
Low 50,000
Submissions
Please submit a report to the United vulnerability disclosure program by confirming that you understand and accept the policy and terms and conditions, and by using the submission form included here.
Policy:
https://www.united.com/ual/en/us/fly/contact/vdppolicy.html
