United's Bug Bounty Program Headaches Continue
In this industry nothing can be certain, except bugs and taxes.
b3nfr4nkl1n in a post to #baptiste
We’ve heard a lot of stories about United’s bug bounty program that was launched May 11th, 2015. It hit the news outlets with praise. The biggest twist was United’s choice of payout, which was in United miles. I could rant about United’s program, from the frequent reports of delayed patching of critical issues to the overly limited scope, but that’s for a later time.
This is about United’s choice of payout, and a strong warning for anyone wishing to participate in United’s bounty program, or any other program that doesn’t reward cash but rewards something of value that isn’t classified as a gift. You can’t avoid the taxman, and it may be more headache than it’s worth. While it might not be United’s fault that these bounty hunters were not fully informed on the tax ramifications of recieving miles, it does make the entire bounty program more interesting…. in a bad way.
TL;DR - If you’re a bug bounty hunter, and the bounty is not a cash payout, you most likely are still liable for taxes. In cash.
So what happened?
While sitting in a channel of former SpiderLabs friends, it was mentioned that one of their new colleagues was recently hit with a 1099-MISC from United for the bug they submitted for a substantial number. After 30 seconds of searching on twitter, it was confirmed across multiple people, and seems everyone was a bit taken back as to the valuation of a mile.
After digging through a bit in replies, it seems that the $25,000 value was for 1.25M miles rewarded to @psifertex. That means…..
1 Million Miles = USD $20,000
250 Thousand Miles = USD $5,000
50 Thousand Miles = USD $1,000
So, United is valuing these miles at 2 cents/mile. This is not mentioned anywhere on United’s bug bounty program site and, only after some digging, was mentioned by a random blog called Dan’s Deals where he asked United what it would be valued at. Smart guy.
Before We Continue
Zack is not a lawyer nor is he a CPA, and his statements should not be taken as legal nor tax advice. Don’t believe anything he says. You should consult your own accountant or tax attorney regarding your specific situations. Lawyered.
zfasel’s Legal Team
The Taxing of Miles
This is not the first case of people being taken off guard with a tax bill over the miles they recieved, but there is indeed a lot of precedent. Back in 2002, the IRS issued Announcement 2002-18, stating the following:
…the IRS will not assert that any taxpayer has understated his federal tax liability by reason of the receipt or personal use of frequent flyer miles or other in-kind promotional benefits attributable to the taxpayer’s business or official travel……
… This relief does not apply to travel or other promotional benefits that are converted to cash, to compensation that is paid in the form of travel or other promotional benefits, or in other circumstances where these benefits are used for tax avoidance purposes.
Emphasis mine. TL;DR: Reward and frequent flier miles are commonly considered tax free, but promo and payments in travel is not.
In 2009 and then 2012, Citibank took a firmer stance that miles that were earned as a sign-up “bonus” were taxable by sending 1099 to bank and card members. This issue finally came to a finalization in 2014 in SHANKAR AND TRIVEDI v. IRS COMMISSIONER. The taxpayers stated that the Citi “thank you” award miles shouldn’t have been counted as taxable and shoudl be treated as a rebate like other rewards. The IRS disagreed, and subsequently won. The value of those 50,000 miles was directly mapped to the actual cost of the ticket they purchased once they purchased it, which was $668. NOTE: This is ~1.33 cents a mile.
For contests/prizes however, miles awarded in this fashion have always been considered as taxable, and have been taxed at similar per-mile levels. If you take a look at one of United’s Million Mile contests they clearly spell out in the terms the Approximate Retail Value (ARV) and value the miles in that contest as 2.5 cents/mile. Same with another MileagePlus Shopping Contest at 2.5 cents/mile. American Airlines also values their miles at 2.5 cents/mile for conests as seen here.
So, if you’re getting miles as a reward for submitting a bug, you’re going to be taxed.
The “Value Of A Mile”
Is a mile worth 2.5 cents? 2 cents? Less than a penny? It depends… It’s time for a comparison. Here’s what things actually look like (note: travel geeks - it’s not exact, and there’s always outliers, but it’s close enough for gauging. Go back to FT ;) ).
| Cents Per Mile | Valuation Method |
|---|---|
| Up to 4.36 | Round The World in Business |
| 3.5 | Purchasing miles through United without bonuses |
| 2.5 | United Contest ARVs |
| 2.24 | LAX<->EWR Business class far out booking |
| 2 | Bug Bounty Valuation |
| 1.88 | Purchasing miles through United with 100% bonus promo |
| 1.5 | The Points Guy Valuation |
| 1.33 | SHANKAR AND TRIVEDI v. IRS COMMISSIONER |
| 1.16 | LAX<->HKG Close in Booking in business |
| 1.12 | LAX<->EWR Close In Booking in business |
| .98 | LAX<->EWR far out economy booking |
| .87 | Hotel booking using miles |
| .79 | United Club Membership |
| .628 | LAX<->EWR close in economy booking |
| .6 | Converting to Amazon Giftcards |
| .58 | MileagePlus Store Purchasing Goods |
| .44 | LAX<->HKG close in economy booking |
Yes, there are numerous other examples where a mile is worth >2 cents in value, but it takes extensive planning and searching. So, in most cases that someone would actually be able to use the miles, the value of a mile is much less than 2 cents. This is where things are difficult. What is the actual value of a mile? The answer is always “it depends”. The answer in this case is “it’s for United to set and you to prove otherwise”.
The Tax Bill
It’s time to pay the taxmen with cold hard cash. (Note: I’m only focusing on the US here, because ‘MURICA and that I dont know different countries tax codes)
Obviously taxes vary based upon state and bracket, but the tax bill on a One Million Mile bounty valued at $20,000 in additional income will run someone between $5000 (Married in Nevada making <100k/year) up to just over $10,000 (California Making >300k/year)). Realistically, It’ll run most about $8000 in cold hard cash. At $8000, the cost per mile to break EVEN (that is not make anything of the disclosure) is .8 cents / mile. Go look up at that chart again. Now realize that at one million miles, even .1 cent (not 10 cents, a tenth of a cent) per mile equates to $1000 in claimed value.
Assuming the tax burden of $8000, If you were to redeem your miles for Amazon Gift Cards, you would loose $2000 to taxes for disclosing the bug. If you were to use TPG as your evaluation, after taxes you would essentially have $5,000 for the 1MM bug (vs $12,000 of post-tax value they claim it to be worth).
So What Can Bounty Hunters Do About This?
Well, it falls into two groups of things:
You Already Recieved Miles
Got paid out and shocked by that 1099? Ouch. Well, you’re not alone. If you want some background on others who got hit with high tax bills that were out of wack valuations, check out this post on View From The Wing and the external links in that post.
First, consult a real accountant, but again, that’ll cost you. But don’t fuck around with this as you’ll definitely get audited if you don’t claim it.
Second, You may be able to dispute the value of the miles. Work with that accountant to do that.
You could also sit on the miles and pay the full tax bill if you’ve got the cash and either (a) get the appropriate value for those miles on specific cases it makes sense or (b) donate them this year and take that 20k as a write off for this year (but you’d still have to pay 2015 taxes on it most likely). Honestly, I doubt you’ll get appropriate value for the miles unless you want to go around the world in business 3 times.
You Submitted a Bug But Haven’t Been Paid Miles
You can either (a) take these miles, knowing the tax liabilities, or (b) donate the miles through United so there’s no tax liability (you boy scout you).
Me personally? I’ll be staying far away from it.
Should We Call “Bullshit”?
United did say in their terms “You are responsible for any tax implications that apply based on your country of residency and citizenship”. Is it a case that these Bounty Hunters were just not as well informed on tax code as they should be? Or is it shame on United for handling their bounty program this way?
Survey Says…. Bullshit!
Yup, grab your pitchforks and throw your Shmooballs. I’m calling bullshit, and there’s a few reasons:
- It’s up to the Bounty Hunter to dispute the valuation - A mile’s valuation is not standardized. It’s not like 1 mile = 1 dollar in all cases (or even most cases). So, by setting such a high ARV for the miles, they’re adding an unnecessary burden on the person receiving the miles to dispute. A mile is such an arbitrary unit of value.
- Because of this, United is banking on the mile being worth less than 2 cents - Yup. They could have done United gift cards (well, I don’t know legal, but i don’t see how giving miles vs giving giftcards is different), but they’re hoping it’s going to cost them less that the amount they’re valuing it. I expect nothing less from an airline.
- United is getting a tax writeoff on their valuation of these miles - Yup, the expense of them giving away these miles is a writeoff of the value they deemed them at for zero up front cost, and it’s up to the bounty hunters to dispute it. I’m honestly curious if it came up in meetings that their bug bounty program could potentially cut costs through tax liability reductions by paying in miles vs. cash.
- This isn’t really a contest - @k8em0 pointed out on Facebook that some bug bounty programs are considered contests of skill (vs. contests of chance). But in all of the other cases, they were cash payouts. This isn’t a case where someone is signing up for a “chance to win”. Someone puts in a bit of work to find and validate a problem (significant amount of work especially given their terms), reports it to United, and they decide to compensate that person for their finding. Sure, legally it might be a “contest” for certain protections/reasons, but that shouldn’t put an unnecessary financial strain on the bounty hunter if they want to accept compensation for their time and finding. Which leads me to…
- You can hold back cash on cash bounties to pay the tax bill. You can’t sell miles / pay tax bills in miles - In a cash payout, it’s your responsibility to simply not spend a percentage of what you receive. Miles? You can’t sell them (per the terms of the MileagePlus program, you can’t transfer them to something of value that isn’t United flights at the rate they’re worth (i.e. giftcards). It’s not like other prize giveaways where you could sell the prize (albeit at a lower value) and still get cash to pay the taxes and have some left over. So, at the end of the day, you have to “come up with” the cash for the taxes on the miles or not accept them.
Listen, I get the opposition to this:
- At least they have a bounty program - Yes, I agree. But the bounty program shouldn’t create unnecessary financial strain on the person submitting it. No arguments there.
- It’s the bounty hunter’s responsibility to research their tax liabilities for receiving payments - Sure it is. I agree completely. This is such a new and unique case that it’s taking them off guard though, and United hasn’t been as straightforward with the ARV as they have with their contests.
- It’s better than nothing - Is it? Is the extra headache of having to dispute the valuation of the miles or fight to get the 2 cents/mile in value worth it? For me, I’d donate the miles to charity to avoid this headache, so, in the end, get nothing, and United still most likely gets a 20k tax write-off for donating the miles to charity.
What Should United Do?
Don’t talk about a problem if you don’t have a solution. I’ve got a few recommendations:
- Offer an Equivalent Reward in Cash Payments - If you’re going to value the miles at $20,000, offer an equivalent cash payout. Yes, it’s time to find which budget this is coming out of, but stop making it a bet that it’s not going to. I understand they probably can’t set a lower value as it would value the miles at a lower amount across the board, but then lower the miles. 500k miles or 10k payout would be gladly accepted, and yes, you could roll it back and very few would complain if you added the cash payout.
- Offer the payout in United Gift Cards - This would fix the issue of $1 = $1 and someone being taxed appropriately on it and not have to dispute it. It would also help prevent adding insult to the bounty hunters’ when it’s time to redeem the miles and they either have to pay a close-in booking fee (not everyone is Platinum/1K/GS) or find out their miles were devalued. This then still keeps them in the United loop and the actual cost will still be much less.
- Spell out the ARV in the terms - If the miles reward is going to remain, at the very least spell out the ARV of the miles and what the bounty hunter will receive a 1099 for, and spell out if the miles can be donated to charity.
Will any of this change? Probably not. But consider a warning next time you go to submit a bug for someone who’s not paying in cash - whether it’s miles, points, free services, or new toys. You’ll be on the hook for a tax bill to be paid in cash. And if you’re accepting miles, better know what they’re actually worth (and how much work is needed to get value out of them).