Uber has announced that it will be running a bug bounty program to reward hackers who find security flaws in company software.
For those who were previously unaware of bug bounty programs, they reward hackers who find weaknesses in the security features of apps. Uber has been testing its platform for a year, and will now launch the program on the HackerOne bug bounty platform.
Michael Mauboussin: Here’s what active managers can do
Uber joins Microsoft, Google and Facebook in bug bounty program
Instead of having hackers exploit the weaknesses in a system, bug bounty programs essentially make hackers work for a company by revealing points of entry. Many companies, including Microsoft, Google and Facebook, have similar programs.
Collin Greene, the man behind the Uber program, used to work at Facebook with HackerOne CTO Alex Rice setting up a similar scheme. However Uber has built in some unique features.
The company is trying to be as transparent as possible when it comes to rules and payments. Some other programs have run into problems due to a lack of structure.
Payment structure clear and simple
Uber doesn’t want to enter into negotiations with hackers who find a bug. The company says that it will pay up to $10,000 to those who find a critical bug.
Those who find a steady stream of bugs will be rewarded under the terms of a loyalty program. “There is actually only a small pool [of qualified researchers] who can find bugs in these applications, a small percentage and you want to grab their attention and keep it,” Greene explained.
Uber is essentially gamifying bug finding in order to keep hackers interested. The loyalty program launches May 1 and will run for 90 days. Should a hacker find 4 bugs in that time period they will be rewarded with a bonus when they report the fifth and any subsequent bugs.
The bonus is worth 10% of the average payout for the other bugs found in that time period. Uber is also offering a document known as “The Treasure Map” in order to give hackers a head start. The document offers tips on where to start looking for bugs.
“We look at code and think like hackers and find security vulnerabilities. [The participants] get our accumulated wisdom about the code base and the areas where bugs are most likely to be found,” Greene said.
Uber striving for more secure platform
Beta testing involved 200 hackers who worked to perfect the final program. HackerOne CTO Alex Rice says that he has never seen a company collect feedback in this way before launching a program.
“Uber started out like all HackerOne customers running a private pilot but their program was unique in that they put a special emphasis on collecting feedback from hackers on how to best structure their program to make it effective. From here, they worked with us at HackerOne to create features needed to run the loyalty program,” Rice told TechCrunch.
The aim is to eliminate weaknesses so that they become harder and harder to find. Payments will increase as the security flaws become more difficult to spot. Uber gets to improve the security of its software and hackers get paid for the efforts. It’s a win-win situation that stands to benefit both parties.
If you’ve got the requisite skills you might be able to make a pretty penny finding security flaws in the Uber app.