Why Uber will pay up to $10,000 for hackers to break into its system
Uber became the latest firm to issue a cash bounty on tips about bugs in its system on Tuesday, when the ride hailing company said it would release a technical “treasure map” of its computer systems to a select group of hackers.
The company’s “bug bounty” begins on May 1st, and would offer independent security researchers up to $10,000 for finding a range of flaws in its system that could lead to the exposure of personal information about the company’s passengers and drivers.
Uber is far from the first company to launch such an effort — and it has partnered with the independent firm HackerOne, which specializes in coordinating bug bounties — but the release of its "treasure map,” may mark a new level of transparency for the company.
“We’re saying ‘here are the different portions of the website, the mobile apps and how they work, and the technologies underneath them. If I were a security researcher, here’s where I’d look,” Collin Greene, security engineering manager at Uber, told Wired. He previously oversaw a similar program at Facebook.
The map provides details of the company’s software, points to the types of data that might be exposed inadvertently and then suggests what types of flaws are most likely to be found.
Uber has previously guarded information about its code, with a team of researchers from Northeastern University recently describing the algorithm that makes its controversial “surge pricing” work as a "black box.”
The company says it is only revealing information that is already public. The treasure map covers its websites and apps for drivers and riders, not other aspects of its technology, such as drivers' cars.
But its bug bounty, an effort launched in the past by large tech firms such as Apple and Microsoft, sometimes in private contests, also points to a larger shift in how independent security researchers are perceived — as potential assets for their knowledge and skills, rather than shadowy agents or potential criminals.
“That's a level of confidence that you have not seen too many closed-source software companies take in the past, and I'm really hopeful that others will follow suit," Alex Rice, chief technology officer at HackerOne, which is managing the program, told Reuters.
Uber has been making a series of efforts to root out vulnerabilities — perhaps ahead of a future move to fully self-driving cars — including conducting private tests for bug bounties. Last year, the company hired Charlie Miller and Chris Valasek, two independent hackers who had successfully cut the controls in several car models, including a remote takeover of a 2014 Jeep Cherokee.
Smaller flaws could yield only a few thousand dollars, but a bug considered “critical” — causing “full account takeover,” or exposing sensitive data such as social security or bank account numbers — would net $10,000.
The hackers will have 90 days to identify bugs in Uber’s system, but need to find at least four bugs before they can start receiving the bounties.
If a researcher finds a fifth bug, the company will offer them a bonus of 10 percent of the average value of the previous four bugs as a “loyalty program,” to encourage “white hat” hackers to continue identifying vulnerabilities in the company’s systems.
After it's been fixed, the company would also be open to publicly disclosing a bug identified by an independent hackers
For Uber, the bug bounty program could also help ensure a lasting relationship with highly-skilled independent security researchers. “We believe a more transparent program will be a more successful [one],” Mr. Greene told Wired.
