In a friendly nod to roping in and not employing white-hat hackers to look through its code to uncover vulnerabilities and possible weaknesses to exploit, Uber has announced a bug bounty program for security researchers or white-hat hackers.
With its first ever bug-bounty program, Uber has revealed that it will reward and pay independent security researchers with thousands of dollars for finding vulnerabilities in its websites and its apps across different platforms.
Uber is launching its official bug bounty program on popular platform HackerOne. Notably, Uber is also trying to keep white-hat hackers on its side with a “loyalty system” that rewards hackers with bonuses for repeated disclosures of bugs, exploits and other vulnerabilities on Uber’s platform. Essentially, they are rewarded with compounding interest on their rewards, if they stay loyal to the company.
Notably, hackers will have up to 90 days to identify bugs in Uber’s system. Before Uber starts paying them however, hackers will need to disclose at least four bugs in Uber’s platform. Hackers who find a fifth bug will gain a bonus that’s equal to 10 percent of the average of the previous four bugs. This feature, according to Uber, will serve as a “loyalty program” to ensure that hackers are encouraged to keep searching for bugs in Uber
‘Medium’ issues that are discovered will be rewarded with $3,000 for discovery while the reward could go up to $10,000 for critical issues.
‘Critical issues’ include any hackable exploits that involve information pertaining to drivers’ social security numbers, credit card details, bank account numbers, driving license images and more. A hack that results full account compromise of the rider or driver’s account is also considered as a critical issue. So too does payment or driver invoice information exposure, like a breach. Any potential access to Uber’s source code is also considered a critical issue. As are vulnerabilities leading to the compromise of Uber employee accounts, by circumventing two-factor authentication.
The second tier, deemed as Significant Issues rewards hackers $5,000. Exploits that are considered will include Cross-site Scripting concerns that can damage Uber’s brand by smearing the home-mage. Missing authorization checks that could lead to the exposue of email addresses, date of birth, phone numbers and names will also be considered.
Finally, ‘Medium Issues’ constitute the third tier, at $3,000 where rate limiting concerns, account validation bypasses and other smaller exploits – relatively speaking – are rewarded.
In the past, Uber has suffered massive breaches including one that occurred in May 2014 which affected nearly 50,000 drivers. The company was only able to discover the breach four months later in September 2014 before finally making news of the breach public in March 2015.
Uber has, in the past, even agreed to pay $20,000 as a fine for the explicit ‘failure to provide timely notice to drivers’ about a breach that occurred in 2014.
Featured image from Shutterstock.