United is committed to protecting their customers’ privacy and the personal data they receive from them, which is why they are offering a bug bounty program — the first of its kind within the airline industry.


If you think you have discovered a potential bug that affects their websites, apps and/or online portals, please let them know. If the submission meets our requirements, we’ll gladly reward you for your time and effort.

What is a bug bounty program?

A bug bounty program permits independent researchers to discover and report issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.

Eligibility requirements

To ensure that submissions and payouts are fair and impactful, the following eligibility requirements and guidelines apply to all researchers submitting bug reports:

  • All bugs must be new discoveries. Award miles will be provided only to the first researcher who submits a particular bug.
  • The researcher must be a MileagePlus member in good standing. If you’re not yet a member, join the MileagePlus program now.
  • The researcher must not reside in a country currently on a United States sanctions list.
  • The researcher submitting the bug must not be an employee of United Airlines, any Star Alliance™ member airline or any other partner airline, or a family member or household member of an employee of United Airlines or any partner airline.
  • The researcher submitting the bug must not be the author of the vulnerable code.

Bugs that are eligible for submission:

  • Authentication bypass
  • Bugs on customer-facing websites such as:
    • united.com
    • beta.united.com
    • mobile.united.com
  • Bugs on the United app
  • Bugs in third-party programs loaded by united.com or its other online properties
  • Cross-site request forgery
  • Cross-site scripting (XSS)
  • Potential for information disclosure
  • Remote code execution
  • Timing attacks that prove the existence of a private repository, user or reservation
  • The ability to brute-force reservations, MileagePlus numbers, PINs or passwords

Bugs that are not eligible for submission:

  • Bugs that only affect legacy or unsupported browsers, plugins or operating systems
  • Bugs on internal sites for United employees or agents (not customer-facing)
  • Bugs on partner or third-party websites or apps
  • Bugs on onboard Wi-Fi, entertainment systems or avionics
  • Insecure cookie settings for non-sensitive cookies
  • Previously submitted bugs
  • Self-cross-site scripting

Do not attempt:

Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation.

  • Brute-force attacks
  • Code injection on live systems
  • Disruption or denial-of-service attacks
  • The compromise or testing of MileagePlus accounts that are not your own
  • Any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi
  • Any threats, attempts at coercion or extortion of United employees, Star Alliance member airline employees, other partner airline employees, or customers
  • Physical attacks against United employees, Star Alliance member airline employees, other partner airline employees, or customers
  • Vulnerability scans or automated scans on United servers


If you have discovered a bug that meets the requirements, and you’re the first eligible researcher to report it, we will gladly reward you for your efforts. Below is our bounty payout structure, which is based on the severity and impact of bugs.

Bug Bounty payout structure
SeverityExamplesMaximum payout in award miles
  • Remote code execution
  • Authentication bypass
  • Brute-force attacks
  • Potential for personally identifiable information (PII) disclosure
  • Timing attacks
  • Cross-site scripting
  • Cross-site request forgery
  • Third-party issues that affect United

Here is a link to the United blog explaining the process.