Uber is joining the public bug bounty movement. The taxi cab app has recruited HackerOne to offer up to $10,000 for critical flaws in its servers, with additional cash on offer as a loyalty bonus.
Last year, Uber invited 200 researchers to take part in a private test of its software, and over 100 bugs were found in the code. Now it's opening up the testing to everyone.
"When it comes to flaw funding, you typically get much better results if people undertake long-term research," Alex Rice, CTO of HackerOne told The Register. "You want to reward people, but researchers turn up higher quality and more serious bugs if they put the time in."
The public bounty program will begin on May 1, and the initial set of rewards will include:
- $10,000 for flaws like remote code execution on a production server or allowing access to client records.
- $5,000 for stored cross-site scripting errors.
- $3,000 for reflected cross-site scripting and most cross-site request forgery issues.
Researchers who report five or more flaws in the first 90 days are eligible for the loyalty program, which increases their payout by 10 per cent, and that percentage will be reviewed – and possibly raised – at the end of the first bounty period.
"Even with a team of highly qualified and well-trained security experts, you need to be constantly on the look-out for ways to improve," said Joe Sullivan, chief security officer at Uber.
"This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber."
To make life easier for researchers, Uber engineers have created a "treasure map" for researchers, highlighting the various architectures Uber is running and what kind of flaws the upstart is particularly interested in finding for each. Uber's Android and iOS apps are included in the program.
Rice also noted that Uber's most loyal researchers won't just be benefiting financially from the loyalty scheme. They will also be putting themselves on Uber's radar when the biz makes its next round of security hires.
Uber does have form in this area. Last year, the multibillion-dollar Bay Area-based company entered into a partnership with Carnegie Mellon University's National Robotics Engineering Center to examine self-driving cars. The firm then hired about 40 of the center's best staff, precipitating what the School of Computer Science dean Andrew Moore called an "Uber crisis" in the facility. ®