At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure. We are committed to protecting our customers' privacy and the personal data we receive from them, which is why we offer a vulnerability disclosure program — the first of its kind within the airline industry. We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential vulnerability that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

The reward for disclosing an eligible vulnerability may vary depending on the severity of the vulnerability. The United Security team will determine the severity of the vulnerability after reviewing the submission, using a combination of the Common Vulnerability Scoring System (CVSS) and OWASP Risk Rating Methodology. Researchers will be paid out upon successful validation of their submission. Several submissions may be considered one vulnerability at United's discretion.

Eligibility requirements

To ensure that submissions and payouts are fair and relevant, the researcher and the vulnerability must be eligible according the United disclosure program terms, including, but not limited to, the following requirements:

• All vulnerabilities must be new discoveries. Award miles will be provided only to the first researcher who submits a particular vulnerability.
• The researcher must be a MileagePlus® member in good standing of at least 18 years of age. If you're not yet a member, join the MileagePlus program now.
• The researcher must not reside in a country currently on a United States sanctions list.
• The researcher submitting the vulnerability must not be a current or former employee of United Airlines, any Star Alliance™ member airline or any other partner airline, a contractor of United Airlines, or a family member or household member of an employee of United Airlines or any partner airline.
• The researcher submitting the vulnerability must not be the author of or have any prior affiliation with the vulnerable code.

---

Rules of Engagement:

• Provide details of the vulnerability finding, including information needed to reproduce and validate the vulnerability using the submission form.
• All vulnerabilities must pose a security threat in order to be eligible for a reward. United is ultimately responsible for determining the severity of an issue.
• Vulnerabilities or potential vulnerabilities you discover may not at any time be disclosed publicly or to a third-party. Doing so will disqualify you from receiving award miles.
• Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of United services.
• Do not attempt to perform brute-force attacks, denial-of-service attacks, compromise or testing of United accounts that are not your own.
• Do not attempt any testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi.
• Do not attempt to target United employees or customers using methods, including social engineering attacks, phishing attacks or physical attacks.
• Do not perform physical attacks against United airport facilities.
• Do not use automated scanners/tools.

---

Testing is only authorized on the targets listed as In-Scope. Any domain/property of United not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to United, it may be reported to this program and at United's discretion may be accepted and eligible for a reduced payout amount. Otherwise, out of scope submissions will be marked as ‘not applicable’ and will not be eligible for miles or points-based compensation.

---

Submission Instructions:

Please be aware that this program does not pay out any monetary rewards, they pay out in frequent flier miles for the United MileagePlus Program.

When submitting to the United program for the first time, please retrieve the tax forms from the below URLs and fill them out. When you make your first submission, encrypt the file with the attached United_VDP_Public_Key.txt. This will allow the United team to process your tax form at the end of the year for any miles that you have earned on the program.

• W8BEN.pdf
• W9.pdf

If you do not wish to receive miles for your submission and would like to have them donated to the charity of your choice, that is acceptable as well. Please include the charity that you would like them donated too.

---