Who's employer is brave enough to do this: ask to be hacked? THat's what United has done, with a challenge to look for vulnerabilities in their apps, portals, and websites. They're offering miles as prizes, with the top prize of 1 million miles for high severity bugs. It's arguably a good way to get lots of free PEN testing for not much of a cost. It might even be profitable with the publicity that comes along with the challenge.

I don't know that many of the employers I've worked for in the past would be willing to make a challenge like this. Apart from the problems of shifting resources to deal with potential issues quickly, there's also the concern that far too many issues would be reported. Given how poorly some systems appear to be developed, I wouldn't be surprised to find many developers, managers, and even clients concerned over an invitation to attack one's system.

However, I would think the professional in most of us would want this. We'd want to know what's broken, have resources to fix it, and learn how we can code better. Some of us might worry that all the code we've cut and pasted will have the same issue in many places, but today's tools make refactoring easier. If you're using a VCS, and you should be, you'll have copies of old code to easily undo a change if it's a mistake.

I am glad that United decided not to include their onboard, live flight systems in this challenge. That worries me, and while they need penetration testing done on those systems, I'd prefer they were done in controlled situations, and not when I'm flying between cities.