Skip to main content

Editors' pick: Originally published Oct. 7.

The University of Georgia hacking incident, which led to a felony charge (that was later dropped), was probably a good indication Ryan Pickren had mad skills when it came to identifying vulnerabilities in computer networks.

But who would have guessed that same skill would later earn the 22-year-old a staggering 15 million frequent flyer miles.

As far as part-time college jobs go, that's a pretty solid payoff.

And for travel junkies that kind of mileage is basically the stuff of dreams.

Pickren earned the frequent flyer miles by working with the United Airlines Bug Bounty Program, a first-of-its-kind in the airline industry.

Image placeholder title

Started just last year, the program invites anyone with cyber security skills to search for a variety of specifically eligible bug types in the United Airlines websites, apps and online portals - such things as authentication bypasses, cross-site request forgery, cross-site scripting, and remote code execution.

In other words, gibberish to most of us, but not to Pickren and his ilk - those who have stellar computer skills.

In exchange for identifying security issues, miles are awarded to the researchers (cyber security experts, professional hackers - choose your preferred title).

"The easiest way to describe the program is crowdsourcing security researchers from around the world to help us identify where we may have configuration and vulnerability issues," begins Arlan McMillan, United's chief information security officer.

According to McMillan, the program has allowed United to attract some of the top cyber security minds to assist the airline with maintaining its systems. Experts from practically every continent have been lining up to get in on the action.

"We don't have anyone in Antarctica, but we do have people from everywhere else...Kenya, Australia, India, Latin America," McMillan says.

So Pickren is in some pretty stellar company, and yet since joining the program in October 2015, he has grown to be its top mileage earner.

"I was the kid who was always tinkering with computers growing up," says Pickren, now a senior at Georgia Tech. "My sister and I used to share a computer, and I would change the privileges on her account and lock her out of her account."

All of which led years later to that Thanksgiving day hacking incident involving the University of Georgia, which Pickren thought was extremely clever and harmless enough, until he found himself in a jail cell.

Scroll to Continue

TheStreet Recommends

As Pickren explains, the week preceding Thanksgiving is an exciting time at Georgia Tech, one known as the "UGA vs. GT Hate Week." For the uninitiated, it's a 100-year-old tradition that nearly all Georgia Tech students look forward to, a time rife with rivalry pranks.

With a grandfather who's a Georgia Tech alum, Pickren was immersed in the legendary rivalry pranks from a young age - stunts ranging from stealing the other team's mascot to spray painting the UGA arch in its opponent's colors.

Bursting with all he had learned at Georgia Tech about cyber security, Pickren decided to use his hacking skills to join in the prankster fun. While waiting for Thanksgiving dinner to be prepared, (a time when most people are plopped on the couch watching football) Pickren worked his way into the UGA system, pulled up the school's home page and posted a now infamous note on their master calendar that read "Get Ass Kicked by GT."

Needless to say officials in high places were not amused. Pickren eventually had to turn himself in to police and spent Christmas Eve in a jail cell.

The charges however, were later dropped as part of an agreement requiring Pickren write an apology letter to UGA, complete community service, and stay out of trouble for 12 months.

So the moral of the story is really twofold.

Don't engage in illegal hacking (obviously.) But if you do have serious skills, channel them into something legal and with a better payoff - such as United's program, or others like it.

Image placeholder title

United is not the first company to have a bug bounty program, McMillan points out. Facebook, Microsoft and Oracle have long had such programs. But United is the first non-technical sector company to take part in such an approach to protecting networks.

"A bug bounty program is like a force multiplier," McMillan explains. "We now have the potential of millions, or hundreds of thousands, or tens of thousands of quality security researchers all over the world helping us out... Anybody in the world can submit information. We have an email they can submit information to. But to receive an award, they have to satisfy particular criteria."

Yes, that's the pause button right there for those who may now be viewing United's Bug Bounty Program as an easy path to a free vacation: the criteria.

For instance, all bugs must be new discoveries, and miles are awarded only to the first researcher who identifies and submits a particular issue.

In addition, the researcher submitting the bug must not be the author of the vulnerable code.

And all bugs submitted must go through a validation process conducted by United security employees.

What's more, as has been previously stated, you're up against some pretty stellar competition, including those who have landed in jail and earned national headlines with their skills.

"The researcher generally has to be of the very top elite," says McMillan "This is not just a regular person who has gone to computer science class. These are elite researchers."

Image placeholder title

Pickren worked on the United program in between classes at Georgia Tech, during his down time. But he admits, once he got started identifying bugs in United's system, it was always on his mind.

"I would have these eureka moments throughout the day," he explains.

Like McMillan though, Pickren says it's no easy payoff. Even Pickren was initially discouraged by how challenging the work could be at times, identifying new bugs that had not been found by other researchers.

Still, he remained focused, and before long Pickren was finding himself pleasantly surprised at the frequent flyer miles he was accumulating with each email from United confirming a bug he identified was indeed a legitimate vulnerability.

"At first I just focused on the bugs, but later when I looked at my account, I thought, 'Oh my god, I don't know if I will be able to use all these miles," he recalls.

Tough problem to have right?

Pickren has found some creative ways to begin using the miles. For instance, he recently stayed at a luxe resort in Miami thanks to those miles and took two of his roommates on a cruise to the Bahamas with him.

He's also donated five million miles to Georgia Tech student organizations that participate in charity.

But even with all that, he still has millions of unused miles.

"I've used two or three million miles so far," Pickren says, sounding almost stunned by the numbers himself. 

It's hard to say when or how Pickren will use his remaining miles.

Right now, he's busy fielding job offers from companies that have heard about his remarkable cyber security skills.