Why United Airlines Gave a 19-year-old Dutchman One Million Flyer Miles for Hacking Their Site

August 9, 2016, 11:00 PM UTC
United Airlines Reports Quarterly Profit Of 140 Million
United Airlines planes sit on the tarmac at San Francisco International Airport on January 23, 2014 in San Francisco, California.
Photograph by Justin Sullivan — Getty Images

This article previously appeared on travelandleisure.com.

Olivier Beg, a 19-year-old security researcher based in the Netherlands, may be one of the youngest people ever to accumulate 1 million frequent flyer miles. Also unusual, he didn’t earn them by flying.

Beg earned the 1 million frequent flyer miles as the bounty of a challenge to help the company fix security flaws on its website. This week, Beg flew to Las Vegas for hacker conferences using part of his winnings. As first reported by the Netherlands Broadcasting Foundation and ZDNet, the Vegas trip only cost Beg 60,000 miles and 5 euros for airport taxes.

United Airlines’ (UAL) bug bounty program will reward hackers with 1 million miles for remote code execution, 250,000 miles for medium-severity bugs, and 50,000 miles for low-severity issues.

Beg reported 20 separate security flaws to United. The largest single reward he earned was 250,000, but in total he collected 1 million miles.

For more on airlines, watch this Fortune video:

The teenager began hacking companies to expose security flaws when he was 13 years old and eventually discovered flaws in the code for Facebook and Paypal, earning him $5,000. Beg’s LinkedIn page lists “ethical hacker” as his most endorsed skill. He currently works as the head researcher for cybersecurity firm Zerocopter.

Since United’s initiative was launched last year, a number of hackers have earned its top prize, including Kyle Lovett, a security penetration tester at Cisco Systems. To date, United is the only U.S. airline to offer a bug bounty. Major car companies offer their own bug-crushing rewards including General Motors, Fiat Chrysler, and Tesla, and earlier this year, the Pentagon and Apple both announced hacking-for-bounty programs.

More from T+L:
25 Things You Didn’t Know About Disney Parks
Best Affordable All-Inclusive Resorts
Man’s Sprint to Catch Plane Is the True Mission Impossible

Christopher Tkaczyk is the Senior News Editor at Travel + Leisure.