Jordan Wiens has always wanted to fly around the world — business class. His wife is on board for the adventure but would rather save 200,000 frequent flyer miles by flying coach.
But after Jordan Wiens won 1.25 million frequent flyer miles with United Airlines, the couple can probably treat themselves to a little more legroom.
“That’d be a once in a lifetime opportunity,” said Wiens, a software vulnerability researcher, in a Friday interview.
Wiens was one of two hackers United recently rewarded with a million free miles of air travel for discovering and alerting the company to software defects through the airlines “bug bounty” program. With a million miles, they could fly from the continental United States to Europe 33 times.
Wiens said he won another quarter-million miles this week for reporting another defect. That means he could fly to Europe another eight times.
“Bug bounty” programs have become increasing popular with technology companies. Facebook, Twitter and Dropbox offer hundreds of dollars to hackers who alert them to security problems on their site. Now security experts say as the risks of cyber breaches grows, the practice is spreading outside the tech field.
“As things get increasingly automated all around us, software is all around us and software bugs are all around us,” Harlan Yu, a principal at technology firm Upturn, said in a recent interview.
United, the second-largest airline in the United States, began the program just weeks before software glitches grounded the airline’s fleet twice. On June 2, 150 United flights were delayed for nearly an hour because of a problem with the airline’s flight dispatching system. On July 8, United’s reservation system malfunctioned for two hours and did not allow passengers to check in for their flights.
Wiens said the first problem he discovered, the one that got him a million frequent flyer miles, was a “remote code execution,” the kind of hack that allows a user to seize control of an entire device. The second was an “information disclosure,” or a data leak. Contest rules bar him from talking publicly about his specific discoveries, Wiens said.
“We are committed to protecting our customers’ privacy and the personal data we receive from them,” United said in a statement posted on its Web site. “We believe that this [bounty] program will further bolster our security and allow us to continue to provide excellent service.”
Wiens said he never planned on entering United’s contest. His day job, after all, is doing nearly the same thing as a consultant. But after a friend who entered the program called him asking for a little advice, Wiens started poking around and after three hours of leisurely searching, realized he was on to something.
By the next night, he had found a major vulnerability. Days later, United paid up.
— Jordan Wiens (@psifertex) July 10, 2015
And then paid up again.
Well that answers that question. Found out which of my two bugs was worth a million because the other is apparently worth 250k.
— Jordan Wiens (@psifertex) July 16, 2015
But reporting those bugs doesn’t mean United has a poor online security system, Wiens said. The fact the airline runs a contest to detect these problems means more companies are getting realistic about the advantages of crowdsourcing cybersecurity, he said.
“I don’t think United has a bad security posture,” he said. “I think having a bug bounty program speaks to the maturity of their online presence.”
“I hope it continues,” he added. “I hope more companies get in on it.”
But that’s not because Wiens needs more airline miles.