Uber wants to recruit a few good "white hat" hackers to comb through its code for weaknesses that could expose drivers and riders personal information. In May, the company says it will hold a bug bounty, in which self-described "security researchers" can get big bucks for finding flaws in Uber's system. Small bugs will net a few thousand dollars, but major security flaws could earn a hacker up to $10,000 — plus compounding interest if they stay loyal to Uber.
Starting May 1st, security researchers will have 90 days to identify bugs in Uber's system. Those who find four or more bugs will get a bonus that's the equivalent of 10 percent of the average of the previous four bugs. Uber says this will serve as a "loyalty program" to encourage hackers to keep searching for bugs. And a "treasure map" will be provided by Uber to help researchers navigate the company's code.
A loyalty program, and a treasure map
There are three levels of bugs, each of which pays an escalating amount: "medium" bugs, such as being able to change a driver's picture or any vulnerability which allows the bulk lookup of user universally unique identifiers, pay $3,000; "significant" bugs, like missing authorization checks leading to the exposure of email addresses, date of birth, names, phone numbers, etc., pay $5,000; and "critical" bugs, like "full account takeover" or anything that exposes personal data like social security numbers, credit card numbers, bank account numbers, and driver license images, will net hackers a cool $10,000.
Uber says the bug bounty is not in response to any specific incident of hacking, although the ride-hail company has had a fair share of notable security breaches over the last few years. A breach in 2014 exposed personal information of over 50,000 drivers. The company waited five months before notifying drivers, which led to a $20,000 fine by the New York state attorney general. Last year, a bug allowed hackers to maintain access to compromised accounts even after the password was changed. And this year, the social security and tax ID numbers of a Florida woman who drove for Uber was inadvertently sent to thousands of other drivers.
"You want to stack the odds in your favor"
Rather than any of those incidents, Uber says the bug bounty is in response to a private "beta" hackathon it held last year, in which 200 security researchers identified over 100 bugs. This convinced the company that it needed "an extra layer of security" on top of the researchers it keeps on staff.
"You want to stack the odds in your favor," said Colinn Greene, a member of Uber's security team that is overseeing the bug bounty. He explained that Uber's own team is the first line of defense against bugs, but outsiders can help find those flaws that slip through the cracks. "If there is anything that slips out, we want to incentivize people and pay them a whole bunch of money to come and tell us about it. And that makes all the other parts of the system better, in addition to finding the security bugs."
These days, bug bounties are all the rage in Silicon Valley, where hackers can earn beaucoup bucks for finding defects in companies like Google and Facebook. Even automotive companies like General Motors and Tesla have hosted their own bug bounties. Uber, which is valued at $62.5 billion, making it the most valuable startup in the world, sees itself as on par with the Valley's other heavy hitters, and therefore needing of the same type of digital protection that its massive valuation can afford. The ride-hail service is working with HackerOne, a San Francisco-based startup that runs bug bounties for big technology companies.
"recognizing the value of hackers"
"The fact that Uber has joined vehicle companies in starting either a bug bounty program (like Tesla), or a vulnerability coordination program (like GM), shows a significant shift in the common acceptance of bug bounties as an industry best practice and an effective tool," said Katie Moussouris, chief policy officer at HackerOne. "In just a few years, we've gone from bug bounties being only common among traditional software vendors, to today where more [Internet of Things] vendors are recognizing the value of hackers."
While many hackers shun the limelight, Uber says it will publicize the best submissions — with permission — on its websites so other researchers can learn by example. "We're going to say, ‘Hey guys, this is really cool work,'" Greene said. "Check this out."