Uber woos security gurus with open bug bounty, loyalty scheme

HackerOne deals with the details, Uber can poach the staff


Uber is joining the public bug bounty movement. The taxi cab app has recruited HackerOne to offer up to $10,000 for critical flaws in its servers, with additional cash on offer as a loyalty bonus.

Last year, Uber invited 200 researchers to take part in a private test of its software, and over 100 bugs were found in the code. Now it's opening up the testing to everyone.

"When it comes to flaw funding, you typically get much better results if people undertake long-term research," Alex Rice, CTO of HackerOne told The Register. "You want to reward people, but researchers turn up higher quality and more serious bugs if they put the time in."

The public bounty program will begin on May 1, and the initial set of rewards will include:

  • $10,000 for flaws like remote code execution on a production server or allowing access to client records.
  • $5,000 for stored cross-site scripting errors.
  • $3,000 for reflected cross-site scripting and most cross-site request forgery issues.

Researchers who report five or more flaws in the first 90 days are eligible for the loyalty program, which increases their payout by 10 per cent, and that percentage will be reviewed – and possibly raised – at the end of the first bounty period.

"Even with a team of highly qualified and well-trained security experts, you need to be constantly on the look-out for ways to improve," said Joe Sullivan, chief security officer at Uber.

"This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber."

To make life easier for researchers, Uber engineers have created a "treasure map" for researchers, highlighting the various architectures Uber is running and what kind of flaws the upstart is particularly interested in finding for each. Uber's Android and iOS apps are included in the program.

Rice also noted that Uber's most loyal researchers won't just be benefiting financially from the loyalty scheme. They will also be putting themselves on Uber's radar when the biz makes its next round of security hires.

Uber does have form in this area. Last year, the multibillion-dollar Bay Area-based company entered into a partnership with Carnegie Mellon University's National Robotics Engineering Center to examine self-driving cars. The firm then hired about 40 of the center's best staff, precipitating what the School of Computer Science dean Andrew Moore called an "Uber crisis" in the facility. ®


Keep Reading

Apple fires warning shot at Facebook and Google on privacy, pledges fight against 'data-industrial complex'

Offer does not apply in China

Facebook rolls out full-page ads, website complaining Apple is forcing it to get consent before tracking you

Updated Small-biz campaign tugs at heart strings, inadvertently promotes how iGiant is improving privacy

Australia mostly sticks to its guns in final plan to make Google and Facebook pay news publishers

YouTube and Instagram exempted, Bill kicked into committee for a while

Big Tech to face its Ma Bell moment? US House Dems demand break-up of 'monopolists' Apple, Amazon, Facebook, Google

'These once scrappy, underdog startups have become the kinds of monopolies we last saw in the era of oil barons and railroad tycoons'

Google and Facebook abandon Hong Kong landing of new submarine cable

There be dragons, say US authorities, so first planned US-HK cable darkens its last leg

Google Safari Workaround case inspires campaign to sue Facebook in UK's High Court over Cambridge Analytica app

'Facebook You Owe Us' wants to run a not-quite-class-action-style lawsuit

Google yanks Apple Silicon Chrome port after browser is found to 'crash unexpectedly'

Updated You'll have to run x64 version through the Rosetta emulation layer, or give it access to the Mac Bluetooth radio

Indian telco that won Google and Facebook investments flatly denies it’s diversified into farming

Jio blames rivals for vandalising infrastructure in rural areas during protests

Biting the hand that feeds IT © 1998–2021