I would be pretty scared to not have control over who is doing the PEN testing. In reality, you are providing free license. With a contract + MOU you have a defined source of attack and ability to react as such.

However, in this case, you have handed an anonymous "Get out of jail free" card out to anyone. If I were a hacker who was interested in the kind of data United holds, but scared of being busted, this would be a great time to make a move. If I found something I wanted, Score! If I was detected instead of getting away with my exploit, I was simply trying to earn some miles.