Bug Bonus


It seems like every day we hear a new story about seemingly relentless internet hacks and smoothly executed data breaches. Target got hacked by Russian teenagers and millions of credit cards had to be replaced. Sony got hacked by the North Koreans and Hollywood executives were forced to issue apologies. The Office of Personnel Management got hacked by the Chinese and thousands of spies got their covers blown. It's almost enough to make you long for the return of old-fashioned computer punch cards.

United Airlines, just like the corporations listed above, depends on internet technology as much any big business; the days of friendly travel agents patiently walking you through route choices are long gone. So back in May, they took advantage of a clever strategy for avoiding the sorts of cyberattacks that make the skies less friendly. They call it the "Bug Bounty Program" in which "white knight" hackers are paid to find the flaws in their system before the bad guys do. Last month, the airline paid two hackers a million "MileagePlus" points each for finding and documenting major system vulnerabilities.

A million miles is literally enough to fly to the Moon and back twice – that is, if you don't mind cramped seats, surly gate agents, $15 snacks, and extensive layovers in Newark. But back here on earth, what do our friends at the Internal Revenue Service think of the Bug Bounty program?

The IRS generally considers frequent flyer miles you earn from business travel to be nontaxable rebates. However, miles you earn from other sources - like opening a bank or brokerage account - may be taxable. In 2012, Citibank drew heat by issuing thousands of 1099s to customers who had opened new accounts. But many tax experts agreed the IRS wouldn't have noticed — or really, even cared — if Citibank hadn't blown the whistle by issuing the forms!

Last year, the Tax Court reinforced the notion of taxable miles, ordering a Citibank depositor to pay tax on 50,000 "Thank You Points" he redeemed for a $668 airline ticket. In Shankar v. Commissioner, the Court characterized the points as a premium for a deposit: "…something given in exchange for the use (deposit) of Mr. Shankar's money; i.e., something in the nature of interest. "

United has confirmed that they'll send 1099s to the Bug Bounty winners, valuing the miles at two cents each…which is great for United; it means they get to deduct those rewards on their tax returns. But it also means the winning hackers get taxed on $20,000 each. That's a real problem. First, the miles may not actually be worth as much as United says they are. (Thepointsguy.com, an online resource for points collectors, currently values MileagePlus points at just 1.5 cents each.) And second, the hackers can't sell their miles — which means they're having to pay out cash to the IRS for cash they never really received!