Crowdsourcing and Bug Bounties Bolster Online Security

Published Jul-28-15

Breakthrough:
Online security expert wins top prize for uncovering vulnerabilities in an airline’s IT systems.

Company:
United Airlines, United States

The Story:

Crowdsourcing and Bug Bounties Bolster Online Security Software security is a huge issue for many organizations. They are engaged in an evolutionary arms race with cyber criminals. As security systems increase in their levels of complexity and sophistication so do the toolboxes used by those who want to wreak havoc.

To try and stay one or more steps ahead of the bad guys, companies are reaching out to the crowd, to get them to test their systems and find vulnerabilities. They do so through bug bounty programs, hacking events that reward participants with big cash prizes for exposing these weaknesses.

United Airlines Bug Bounty Program

In 2015, United Airlines launched a crowdsourcing initiative that it said was the first of its kind in the airline industry. Its Bug Bounty program is an open call inviting hackers and online security experts to find flaws in its websites, apps and databases. The airline joins other companies such as Microsoft, Facebook, Mozilla, Samsung and Google who have invited hackers to find bugs and vulnerabilities in their systems.

While other firms have offered cash incentives, United is dangling lots of juicy air mile carrots in front of participants. These range from 50,000 free air miles for low-level bugs such as bugs in third party software affecting United, all the way up to one million free air miles for the highest level of bug - remote code execution. These codes allow an attacker to access someone else’s computer device no matter where it is located. This means a person could inject a code into a program from a remote location.

United’s crowdsourcing bug contest is directed at customer service systems and those covering company information, nothing related to aircraft and server systems. Contest organizers also laid down a number of activities that are forbidden in the pursuit of prizes. They include brute force attacks, disruption or denial-of-service attacks and code injection on live systems.

Bug Discovered in Rapid Time

The first recipient of a prize was Jordan Wiens, a vulnerability researcher from Florida. It took him just six hours to find a vulnerability in United Airlines' network, for which he was rewarded one million air miles.

The rules of the contest forbid the public disclosure of the bug, but Wiens tweeted that it "wasn't
technically challenging".

No Rest for the Bug Hunters

Crowdsourcing bug hunting programs can be a boon to companies no matter their size. They can be a cost-effective way of beefing up security systems by finding weaknesses before the criminals do. Although firms may operate their own penetration tests, a bug bounty program that involves numerous people trying to hack a system provides an additional layer of protection.

United's Bug Bounty program is ongoing and rewards air miles to the first researcher who submits a particular security bug.

Share on        
Next Story »

What Can we Solve for You?
800px-United_Airlines_B763_N651UA.jpg