Why Uber will pay up to $10,000 for hackers to break into its system
Uber became the latest firm to issue a cash bounty on tips about bugs in its system on Tuesday, when the ride hailing company a technical 鈥渢reasure map鈥 of its computer systems to a select group of hackers.
The company鈥檚 鈥渂ug bounty鈥 begins on May 1st, and would offer independent security researchers up to $10,000 for finding a range of flaws in its system that could lead to the exposure of personal information about the company鈥檚 passengers and drivers.
Uber is far from the first company to launch such an effort 鈥 and it has partnered with the independent firm HackerOne, which specializes in coordinating bug bounties 鈥 but the release of its "treasure map,鈥 may mark a new level of transparency for the company.聽
鈥淲e鈥檙e saying 鈥榟ere are the different portions of the website, the mobile apps and how they work, and the technologies underneath them. If I were a security researcher, here鈥檚 where I鈥檇 look,鈥 Collin Greene, security engineering manager at Uber, . He previously oversaw a similar program at Facebook.
The map provides details of the company鈥檚 software, points to the types of data that might be exposed inadvertently and then suggests what types of flaws are most likely to be found.
Uber has previously guarded information about its code, with a team of researchers from Northeastern University recently describing the algorithm that makes its controversial 鈥渟urge pricing鈥 work as
The company says it is only revealing information that is already public. The treasure map covers its websites and apps for drivers and riders, not other aspects of its technology, such as drivers' cars.
But its bug bounty, an effort launched in the past by large tech firms such as Apple and Microsoft, sometimes in private contests, also points to a larger shift in how independent security researchers are perceived 鈥 as potential assets for their knowledge and skills, rather than shadowy agents or potential criminals.
鈥淭hat's a level of confidence that you have not seen too many closed-source software companies take in the past, and I'm really hopeful that others will follow suit," Alex Rice, chief technology officer at HackerOne, which is managing the program, .
Uber has been making a series of efforts to root out vulnerabilities 鈥 perhaps ahead of a future move to fully self-driving cars 鈥 including conducting private tests for bug bounties. Last year, , two independent hackers who had successfully cut the controls in several car models, including a remote takeover of a 2014 Jeep Cherokee.
Smaller flaws , but a bug considered 鈥渃ritical鈥 鈥 causing 鈥渇ull account takeover,鈥 or exposing sensitive data such as social security or bank account numbers 鈥 would net $10,000.
The hackers will have 90 days to identify bugs in Uber鈥檚 system, but need to find at least four bugs before they can start receiving the bounties.
If a researcher finds a fifth bug, the company will offer them a bonus of 10 percent of the average value of the previous four bugs as a 鈥渓oyalty program,鈥 to encourage 鈥渨hite hat鈥 hackers to continue identifying vulnerabilities in the company鈥檚 systems.
After it's been fixed, the company would also be open to publicly disclosing a bug identified by an independent hackers
For Uber, the bug bounty program could also help ensure a lasting relationship with highly-skilled independent security researchers. 鈥淲e believe a more transparent program will be a more successful [one],鈥 Mr. Greene told Wired.
