An anonymous reader writes:Certified ethical hackers at Offensi.com identified a bug allowing remote code execution on one of United Airlines' sites, and submitted their findings to the airline's "bug bounty" program. After a fix was placed into production, their team was awarded 1,000,000 Mileage Plus air miles, which they say was accompanied by an email informing them that the IRS would consider their award as $20,000 of taxable income. "If after evaluating the taxable amount you choose not to accept your award, you are also able to donate your award to charity," the e-mail explained. The hackers ultimately chose to distribute their air miles among three charities -- the Ronald McDonald house, the Muscular Dystrophy Association, and the Casa de Esperanza de los Ninos Organization.
Another security researcher complained in November that United failed to close a serious vulnerability he'd identified
for almost six months.