Published: March 24, 2016 | San Fransisco, CA
Uber has launched its own “bug bounty” and loyalty reward program that is designed to encourage members of the security community to dig deep, helping the company to deal security threats. Up to $10,000 will be given to critical reported bugs. For now, the program only applies to bugs found in its websites and apps for riders and drivers and not for actual vehicles.
Recently, General Motors announced their plans to rewards “white-hat” hackers who will report security loopholes in vehicles. Tesla already has a team of hackers to work on cyber threats. But Uber, which is launching its program with the help of the bug-bounty-focused firm HackerOne, has gone a step further than older programs run by Google, Facebook and Microsoft: It’s trying out a bug bounty “loyalty system” that gives hackers bonuses for repeated bug discoveries in Uber’s platform.
Bounty hunters will be eligible for the reward program once they have found four issues that have been accepted by Uber as genuine bugs. If they find a fifth issue within the 90 day session, they will get an additional, bonus payout. This will be equivalent to 10% of the average payouts for all the other issues found in that session. The same rules will apply for any additional bugs reported within that 90 day session.
“Even with a team of highly-qualified and well trained security experts, you need to be constantly on the look-out for ways to improve. This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber,” says Joe Sullivan, Chief Security Officer.
Uber has also released a “treasure map” for bug bounty hunters designed to guide them toward potential vulnerabilities in the site—mapping out the company’s code to make bug hunting as efficient as possible. This will be regularly updated.
Uber will publicly disclose and highlight the highest-quality submissions (with the permission of the researcher, of course) so everyone can see the best examples of the kinds of issues that get rewarded.
Whenever feasible, the ride-sharing company will also provide researchers with access to new features at the same time that we’re rolling them out to Uber employees.
Uber has been advocating cybersecurity for quite some time now. Last year, Uber launched a private, beta bug bounty program for over 200 security researchers. They found nearly 100 bugs — all of which have been fixed, helping to improve security at Uber. Recently, Uber recruited the famous hacker duo Miller-Valasek and also few from Facebook like Joe Sullivan (CSO) and Collin Greene.