Not only that, but: "Award miles offered under this Program are not Premier® qualifying miles." So you don't even get the free checked bag and priority check-in that those miles would otherwise entitle you to.
And United just limited how you can use reward miles. It used to be that your status would pass on too the passenger. So I'd fly my mom or sister, and they'd get checked bags, lounge, priority access, etc.
Now they no longer do that. So it makes the miles far less useful. And, since it doesn't apply to GS, all the other premiers still get screwed by this change. So it's not like it's gonna improve premier status for the rest of us anyways.
Ranty anecdote:
Oh and they don't even respect what their ticketing and policies on this state. It was that any such ticket booked before 15 Apr would use the old rules, and indeed the baggage calculator would show that. Sent my sister somewhere, counting on some big bags to bring equipment. GA starts making a fuss, saying no, made her unpack and so on. Even after calling United and being assured she'd be treated properly on the return flight, nope, still not handled correctly and made to pay extra. United's IT is terrible. That's why we call their site ".bomb".
United's checked bag fees don't actually matter since you'll most likely be refunded as their standard operating procedure is to delay your bag for a week if they can ship freight instead.
Agreed. They should be award miles that allow for PQM accrual. Or make them all PQM. That way someone could get gold for life (plus spouse) for a code execution exploit.
I fly United about 70 times per year. I use them all the time. And yet, understanding the myriad of acronyms is just plainly annoying. Also, their program is getting worse year after year, including arbitrary inflation of your miles in the order of 50-70% each 18-24 months.
But the top prize is one million miles, which would get you lifetime status. Delta and United don't (yet) have spend requirements for lifetime status, AFAIK.
Conferring lifetime status isn't necessarily even that expensive to the airline--you only get the benefits after you give the airline your money for tickets. It also creates an incentives to buy tickets on one particular airline, even when they might be slightly more expensive (which is the whole purpose of frequent flier CRM programs).
Yep, exactly. If they were 1mil PQM or 1mil BIS you'd hit million miler and get gold for life. Gold, which only kicks in when you actually fly (like you pointed out).
Compared to other bug bounties it isn't bad at all. Airline miles are generally valued at around a penny a mile, so $500 for XSS, $2500 for an auth bypass, $10000 for code exec isn't all that bad.
A thing that people who have never run bug bounties before: Many of your submissions come from overseas. If your submitters can't profit, they won't submit.
"Bugs on onboard Wi-Fi, entertainment systems or avionics" are not eligible for bounties.
It's very strange to see website timing attacks as worth rewarding, but not avionics. Perhaps they'd rather not incentivize people to attack airplanes in flight?
I'm pretty sure that's the reason. While identifying vulnerabilities in the actual airplane is high-value, it's also high-risk. Even the most cautious researcher can easily affect a system being investigated, which is potentially financially costly for a website and potentially fatal for an airplane in the air.
As much as I agree with the comments below/above about it being a safety issue, I would argue it is possible that a contributing factor is in flight WiFi being so flakey that it would be too expensive to run the program on this asset.
My guess is wifi and entertainment are excluded because United doesn't build those. Depending on the aircraft they're provided by Panasonic, LiveTV, etc. in the case of LiveTV (United's vendor for DirecTV) it's even seller-financed.
United probably isn't interested in paying for someone else's bugs.
It would be a good idea to provide access to that sort of equipment on the ground. Bugs that can lead to loss of life should be of much higher priority than bugs that can merely lead to loss of profit on a web site.
Though the avionics industry would obviously balk at the proposition, those systems are already spectacularly vulnerable, and they'd hate to lose face.
"...those systems are already spectacularly vulnerable..."
Absolutely untrue, unless you have physical access to them (at which point any system is vulnerable). In truth, the maintenance port on a 787, for example, (which is the only place you could feasibly get the kind of access you'd need to even attempt an exploit) is located in the avionics bay. At the point that an unauthorized party has gained access to the avionics bay, you've got a much bigger problem than software exploits.
If you're referring the Chris Roberts' dubious "Planes, Trains, and Automobiles" grrcon talk ... well, I'm sorry, but claiming that you've "made friends <giggle>" with an airplane doesn't seem very substantive to me.
Avionics code is some of the most extensively tested code in the world, with 100% statement and decision coverage, 100% requirements test coverage, extensive robustness testing, and somewhere between a handful and hundreds of eyes having reviewed every single line (depending on criticality level). Additionally, design constraints are followed for high criticality software that simply eliminate many types of attacks - no dynamic allocation, mathematically provable static stack analysis, etc. etc. etc. (get yourself a copy of DO-178B and read it if you really want to know all the details). I would bet a significant amount of money that the defect rate per N lines of code in avionics software is probably substantially lower than almost all other commercial software. There's also the fact that on modern aircraft using Ethernet based networks, message routing and authentication are implemented in both hardware and software at multiple layers by independent teams, which greatly reduces the chances of a common fault that allows a successful attack (even if you could gain physical access to the network).
"Bugs or potential Bugs you discover may not at any time be disclosed publicly or to a third-party. Doing so will disqualify you from receiving award miles."
It's as if it was designed in the same spirit as a frequent flyer program -- really stingy payout, with lots of strings attached. I can't see how this can incentivise anyone to do free penetration-testing for them.
Is having rude stewardesses and planes that are never on time bugs? Is grouping two flights into one flight number to deceive people into buying 3 stop international flights a bug? If so please pay me in minimal airline miles which I can then use to waste more of my time on the shittiest airline in the world.
Another gem in the ToS: "You are responsible for any tax implications that apply based on your country of residency and citizenship."
I know miles earned from credit cards are not taxed, but I do know for a fact that Citibank sends out a 1099 for new checking accounts that come with bonus miles.
If United sends you a 1099 based on the market value of a mile (likely between 2-3 cents each), then you're looking at non-trivial tax implications as well.
Yeah how hard is it to just let us select meals before boarding? Instead of running out of the better meal and pissing off high revenue customers. Even AA gets this right.
