United Airlines Bug Bounty Program

Around 4 years ago United Airlines launched a "Bug Bounty" program. Bug bounty programs are becoming more and more common as a way of companies rewarding people for reporting security issues that they discover on their website. Those rewards generally take the form of a cash payment, or sometimes just recognition for having discovered and reported the flaw.

United's Bug Bounty program is unique in that instead of paying cash for problems detected, they pay awards in United Mileage Plus frequent flyer miles - with payments of between 25,000 and 1,000,000 miles depending on the severity of the bug discovered.

Bug Bounty Submission 1

A little over 2 years after United launched their Bug Bounty program I came across a flaw in their website that I considered worthy of the program, and subsequently submitted it to them. (You can find details of that issue in a separate blog post). After a few weeks, United denied my submission, claiming that the website was operating correctly.
"After looking into the issue we have determined this finding is not a valid security concern. The values apparently are required for other service calls. They are transmitting the information securely" - Ben from United's Bug Bounty Program

Anyone with any idea of security would know that this response made no sense as the issue clearly is a security flaw, however I decided not to bother following up any further, and vowed to write a blog post instead describing the issue.

Bug Bounty Submission 2

It wasn't until around 18 months later that I finally got around to writing a post describing the issue I'd discovered and submitted.  Given that so much time had passed I decided I should first give United another chance to acknowledge that this was a bug, so after confirming that the problem still existed I made another submission to the Bug Bounty program, including both this same issue as well as a second separate but related issue.  To my surprise, they admitted that both of my submissions were valid bugs, but that the first issue I'd (re-)submitted was not covered by their Bug Bounty program as it was a "previously-known bug that the development team is currently addressing".

Even when I pointed out that I had previously reported this bug over 18 months ago - presumably well before it was a known issue - they refused to budge and claimed that my submission was not valid.

Public Disclosure

Given that over 18 months had passed since I had submitted the bug and it had not been fixed (their own T&C's state that "Our desired timeframe to remediate each valid submission is within 90 days ...") - and because I had already written the blog post describing the issue - I decided to publicly disclose the information leakage issue, whilst not disclosing the second issue they had accepted as a new/previously unknown issue. To their credit, United did act quickly and fixed the issue within 24 hours of me posting it.

A few days later I received an email from United's Bug Bounty team pointing out that as per their T&C's, publicly disclosing any issues discovered would disqualify me from receiving any miles as payment for discovering the issue - with the clear implication being that I should remove my blog post.  Apparently the fact that they had already denied my submission and thus I wouldn't be receiving any miles anyway didn't occur to them at this stage...

Change of Face

After hearing nothing for a few weeks, out of the blue I received an email stating that as a result of the issue I'd reported now being fixed, as a "valid submitter" I was going to receive a prize of 100,000 United Miles.  However before they could pay the prize I would have to take down my blog post describing the (now fixed!) issue.

It's hard to know what to make of this.  On one hand I can see this as them coming to their senses and recognizing that my original submission was valid and deserved to be awarded - even though they have never actually stated that fact. That being the case, the T&C's of the bug bounty program around disclosure obviously need to be followed, and thus the blog post should go.

However it's just as easy to look on this as a bribe to remove my blog post. Take down the details of the flaw, and we'll pay you 100,000 miles...


The REAL Problem with United's Bug Bounty

Despite the issues described above, the real problem I have with United's Bug Bounty isn't their process, but their payment.  The novelty of using "Miles" as payment sounds like a cool idea for an Airline, but ignores one major problem - the tax consequences.

In addition to getting 100,000 miles, United would also be supplying me with a 1099-MISC tax form, valuing the miles at 2 cents per mile, or $2,000 total.  As a California resident, that amounts to around a $900 tax liability for me, so in effect my "free" 100,000 miles would actually be costing just under 1 cent each.

Of course, paying tax on Bug Bounty payments isn't uncommon.  The difference is that in most cases the payment itself would be in cash, so the tax liability could be offset against the payment, and the result would always be net positive.  With miles, that's not possible - the IRS won't allow me to give up 45,000 of my miles as payment of my resulting tax bill - they'll want cold hard cash!

What's a Mile Worth?

So the question becomes, what is a "Mile" really worth, and is it worth paying $900 to get 100,000 of them.  It's a difficult question to answer given that miles don't have a clear cash value. There are a number of ways to use miles, from flights to merchandise to gift cards, so lets have a look at each of those.

Gift Cards

Starting with the simplest one, and the one nearest to cash value - Gift cards. United has an entire website where you can buy gift cards with your miles. The prices vary a little depending on which shop the gift cards is for, but in general a $100 gift card will cost you around 15,600 miles, meaning that 100,000 miles would give you around $640 in gift cards.

Let me say that again.  100,000 miles, which would result in a tax bill of over $900, could be turned into gift cards worth around $640, leaving me $260 out of pocket.  Clearly not a good option.

Merchandise

United also provides the ability to purchase merchandise with Miles - an option they send me a catalog in the mail for at least 3-4 times a year.

Their current "best selling" product is apparently a pair of Bose QC35 headphones, which are available for only 48,100 miles. These headphones have an RRP from Bose of $350, valuing 100,000 miles at just over $700 - still around $200 less than the tax bill. Other items are all similar values - such as an Amazon Echo for 13,600 miles ($99.99 on Amazon, or 0.74 cents/mile)

Flights

Calculating the value of miles for flights is difficult, as it can vary dramatically depending on where and when you're flying.  For example, I recently flew from San Francisco to Palm Springs - a ticket that would have cost $264 if I'd paid cash, but instead cost me only 10,000 miles - giving a value of 2.64 cents/mile (or around $2,640 for 100,000 miles).

In this case I was lucky that a "cheap" redemption option was available - and even then it was only available because I have status with United.  If I'd booked a day later, or if I hadn't had United status, the price would have been 32,500 miles for that same $264 flight, giving a valuation of only 0.8 cents/mile ($800 for 100,000 miles - back to less than the tax bill!)

It's certainly possible to get some great value for flights using Miles, especially when flying Business or First Class on 'Saver' awards  - although again it's hard to put a value that especially given that such flights can be very difficult to come across.  Even picking a relatively expensive route such as San Francisco to Sydney return in Business Class, booked a month or so in advance will cost around $5000+tax when paying cash, or 400,000 miles - still only giving a value of about 1.25 cents/mile.

However for me personally, using miles presents a further challenge which is that as a very frequent flyer, I already have over 2 million miles on United and their partner airlines - enough to last me 5 to 10 (or more) years of flying.  Accepting an additional 100,000 miles is going to give me a tax burden today, for miles that I realistically won't be using for another 10 or more years!

And all of this ignores the fact that United reserves the right to clear out your Mileage balance for any one of a number of reasons including  simply not earning/using your miles for 18 months - giving those 100,000 miles a value of exactly $0 (but still with a $900 tax bill!)

Fixing The Problem

The simple fact is that the "novelty" value of United's Bug Bounty payment method turns what is otherwise a reasonably strong program into what for many people will be at best a farce, and potentially even a very expensive experience!

In the Terms and Conditions for the program, United does call out the potential for tax implications, but even there they get it wrong :

The term "at a rate of 2% per mile added to your annual earnings" simply makes no sense - this is likely a typo for "2 cents per mile", but if it is then it's a typo that has existed since the start of the program despite others having called them out on it.

United needs to either determine a way to provide a non-cash prize without tax implications, or at least give the option of a cash alternative.  Being offered $2,000 cash instead of miles that are apparently worth $2,000 resolves all of the issues described above, as it allows the tax implications to be paid out of the prize itself, rather than being an additional burden on the recipient.