Among the many ways to accrue frequent flyer miles available, hacking an airline’s website isn’t one near the top of my list. Yet this is exactly what you can earn through United’s Bug Bounty program. You can even make enough miles to have free flights for a really, really, REALLY long time. One man’s skills have actually netted him 15 million United miles(!), making him the most successful hacker (contributor?) in United’s bug bounty program.
Ryan Pickren, a Georgia Tech student, has made more miles than he can use anytime soon by hacking United Airlines’ website. Sound like a recipe for prison time? Through United’s Bug Bounty program, it’s entirely legitimate. Pickren’s participation in the program started as a hobby to earn some miles to see his girlfriend, but he kept at it after he realized how much he enjoyed finding bugs.
Pickren’s hacking wasn’t always so constructive
Ryan Pickren’s hacking has also gotten him into trouble. In 2015 he was arrested for hacking into a rival schools calendar. Although the prank he pulled was harmless, the school did press charges. The offense was a felony that could result in 15 years in prison and a $50,000 fine. Fortunately, Pickren was allowed to complete a pretrial diversion program, which allowed the charges to be dismissed. And for him to turn to better pursuits, such as bug-finding for United Airlines.
United’s Bug Bounty program allows savvy hackers to earn miles by discovering and reporting security flaws in United’s app, website, or online portals. The payout per bug discovered varies from 50,000 to 1,000,000 miles. There are a large number of terms and conditions to the program, including some attacks that are off limits. This makes for an interesting situation where there could be a code-injection security bug, but you have to discover it without actually injecting code into one of United’s programs.
So what has Ryan done with the 15 million miles he earned by finding bugs? For one, he has donated 5 million to his alma mater. Beyond that, he has a multitude of other ways to use them (SEE: 6 ways to spend your million United miles).
Featured image via Wikimedia Commons under CC 4.0 license.
This site is part of an affiliate sales network and receives compensation for sending traffic to partner sites, such as thepointsguy.com. This may impact how and where links appear on this site. Responses are not provided or commissioned by the bank advertiser. Some or all of the card offers that appear on the website are from advertisers and that compensation may impact on how and where card products appear on the site. Any opinions expressed in this post are my own, and have not been reviewed, approved, or endorsed by my advertising partners and I do not include all card companies, or all available card offers. Terms apply to American Express benefits and offers and other offers and benefits listed on this page. Enrollment may be required for select American Express benefits and offers. Visit americanexpress.com to learn more. Other links on this page may also pay me a commission - as always, thanks for your support if you use them
User Generated Content Disclosure: Points With a Crew encourages constructive discussions, comments, and questions. Responses are not provided by or commissioned by any bank advertisers. These responses have not been reviewed, approved, or endorsed by the bank advertiser. It is not the responsibility of the bank advertiser to respond to comments.
He didn’t make miles he earned them by providing a service to the airline that will ultimately benefit other travellers.
True. But that’s what I meant. I was using it in the sense of “making a living”, which is essentially synonymous with “earning an income”. I guess it’s ambiguous considering the post is about hacking, and he could have theoretically “made” miles by executing code within the website to do so. But that would have been illegal under the program.
I’ve seen this story covered elsewhere: one downside is that it’s considered taxable income at the high value stated by United (2 cents / mile), which means $300K of taxable income, yielding maybe $90K owed in federal & state taxes. And that’s due the year receiving the miles, not redeeming them.
Ouch. Good point. I didn’t think of that issue!
Tthe real story is how crappy UAs website is that they were awarding maximum bonuses for critical bugs. Imagine what damage a processional hacking group could do. Surely this college student doesn’t have the time or resources to get all the big bugs