Subscribe

Why Uber will pay up to $10,000 for hackers to break into its system

The company's 'bug bounty' is part of an emphasis on transparency and collaboration with friendly 'white hat' hackers.

  • close
    This Friday, Nov. 21, 2014 file photo taken in Newark, N.J., shows smart phones displaying Uber car availability in New York. On Tuesday, the ride-hailing company launched a "bug bounty" program that promises up to $10,000 for information about vulnerabilities in the company's apps and websites and includes a "treasure map," showing where they might be found.
    Julio Cortez/AP/File
    View Caption
  • About video ads
    View Caption
of

Uber became the latest firm to issue a cash bounty on tips about bugs in its system on Tuesday, when the ride hailing company said it would release a technical “treasure map” of its computer systems to a select group of hackers.

The company’s “bug bounty” begins on May 1st, and would offer independent security researchers up to $10,000 for finding a range of flaws in its system that could lead to the exposure of personal information about the company’s passengers and drivers.

Uber is far from the first company to launch such an effort — and it has partnered with the independent firm HackerOne, which specializes in coordinating bug bounties — but the release of its "treasure map,” may mark a new level of transparency for the company. 

“We’re saying ‘here are the different portions of the website, the mobile apps and how they work, and the technologies underneath them. If I were a security researcher, here’s where I’d look,” Collin Greene, security engineering manager at Uber, told Wired. He previously oversaw a similar program at Facebook.

The map provides details of the company’s software, points to the types of data that might be exposed inadvertently and then suggests what types of flaws are most likely to be found.

Uber has previously guarded information about its code, with a team of researchers from Northeastern University recently describing the algorithm that makes its controversial “surge pricing” work as a "black box.”

The company says it is only revealing information that is already public. The treasure map covers its websites and apps for drivers and riders, not other aspects of its technology, such as drivers' cars.

But its bug bounty, an effort launched in the past by large tech firms such as Apple and Microsoft, sometimes in private contests, also points to a larger shift in how independent security researchers are perceived — as potential assets for their knowledge and skills, rather than shadowy agents or potential criminals.

“That's a level of confidence that you have not seen too many closed-source software companies take in the past, and I'm really hopeful that others will follow suit," Alex Rice, chief technology officer at HackerOne, which is managing the program, told Reuters.

Uber has been making a series of efforts to root out vulnerabilities — perhaps ahead of a future move to fully self-driving cars — including conducting private tests for bug bounties. Last year, the company hired Charlie Miller and Chris Valasek, two independent hackers who had successfully cut the controls in several car models, including a remote takeover of a 2014 Jeep Cherokee.

Smaller flaws could yield only a few thousand dollars, but a bug considered “critical” — causing “full account takeover,” or exposing sensitive data such as social security or bank account numbers — would net $10,000.

The hackers will have 90 days to identify bugs in Uber’s system, but need to find at least four bugs before they can start receiving the bounties.

If a researcher finds a fifth bug, the company will offer them a bonus of 10 percent of the average value of the previous four bugs as a “loyalty program,” to encourage “white hat” hackers to continue identifying vulnerabilities in the company’s systems.

After it's been fixed, the company would also be open to publicly disclosing a bug identified by an independent hackers

For Uber, the bug bounty program could also help ensure a lasting relationship with highly-skilled independent security researchers. “We believe a more transparent program will be a more successful [one],” Mr. Greene told Wired.

About these ads
Sponsored Content by LockerDome
 
 
Make a Difference
Inspired? Here are some ways to make a difference on this issue.
FREE Newsletters
Get the Monitor stories you care about delivered to your inbox.
 

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.

Loading...

Loading...

Loading...

Save for later

Save
Cancel

Saved ( of items)

This item has been saved to read later from any device.
Access saved items through your user name at the top of the page.

View Saved Items

OK

Failed to save

You reached the limit of 20 saved items.
Please visit following link to manage you saved items.

View Saved Items

OK

Failed to save

You have already saved this item.

View Saved Items

OK