[Gasparila]

I had one experience reporting a security vulnerability to United's bug bounty program and never want to do it again. I reported an issue to that I could reset anybody's MileagePlus number by only guessing a multiple choice security question ("what is your favorite sport", etc), bypassing any email confirmation or anything like that. After 3 months of back and forth with their security team, they released an Android update that patched the issue. I was then told "It turns out this fix was pushed by the QA team and was actually unrelated to your Bug Bounty submission" and that my submission was ineligible. At least they have a program I guess?

[jrootabega]

Thanks for sharing your experience. No one wants innocent peoples' data to be compromised, but maybe your story will do something to discourage others from participating, and United will feel the consequences as a result. Having a bug bounty program is one thing; standing behind it is another. Is there a ranking of bug bounty programs in terms of ease of use, good faith, etc?

[tapland]

It's never good to have bugs in the wild that could risk customer information. I want to see United shape up, but I don't want regular guys to suffer for it.

[jplayer01]

If people aren't going to be given the reward they deserve for all the work they put in, why should any of them help United? It isn't a free service.

[tapland]

Am I forcing them to by not wanting there to be a United data leak? What kind of reasoning is that?

[krageon]

You were making a point - is it not fair for people to respond to the problems they see with it?