Uber launches bug bounty program that pays hackers to find security issues

Uber announced today that after a year of Beta testing, it was opening its first ever bug bounty program running on the HackerOne bug bounty platform.

Bug bounty programs for those of you not familiar with the lingo, pay hackers or researchers as they prefer to call them to find security vulnerabilities on a software platform. In essence, it’s turning people who might have once exploited those issues into your friends by paying them for their efforts.

Most major companies such as Microsoft, Google and Facebook have these types of programs. In fact, Collin Greene, who helped developed this program for Uber previously worked at Facebook with HackerOne CTO Alex Rice helping set up a similar program there — it’s a small world after all.

Uber’s program has several unique components. First of all, it’s trying to be as direct as possible with researchers when it comes to ground rules and payments. Greene says one of the issues that researchers/hackers have with these programs is that the payment system can be capricious. Someone finds a bug and a negotiation commences over how valuable it its.

He says that this program is going to be crystal clear about what Uber will pay, offering up to $10,000 for a critical bug.

Secondly the company wants to reward loyal researchers, who report lots of bugs, so they are setting up a loyalty program. “There is actually only a small pool [of qualified researchers] who can find bugs in these applications, a small percentage and you want to grab their attention and keep it,” Greene explained.

In essence, Uber is gamifying bug finding to keep the best researchers engaged. The first loyalty program launches on May 1st and lasts 90 days. If a researcher finds 4 bugs within that period, he or she gets paid a bonus upon reporting the fifth and any subsequent bugs. The bonus is equivalent to 10% of the average payouts for all the other issues found in that session, according to Uber.

Finally, Uber is giving the researchers a bit of a head start by offering a document they are calling “The Treasure Map.” While it’s a fun name (adding to the gamification aspect of the program), it provides valuable information about the best places to look for bugs and vulnerabilities.

“We look at code and think like hackers and find security vulnerabilities. [The participants] get our accumulated wisdom about the code base and the areas where bugs are most likely to be found,” Greene said.

The company started with a Beta of 200 researchers and refined the program over the last year to include the elements announced today. Alex Rice, CTO at HackerOne says this is the first time they have seen a company collect feedback in this manner before launching.

“Uber started out like all HackerOne customers running a private pilot but their program was unique in that they put a special emphasis on collecting feedback from hackers on how to best
structure their program to make it effective. From here, they worked with us at HackerOne to create features needed to run the loyalty program,” Rice told TechCrunch.

The hope is that over time the bugs will be harder and harder to find, the more they fill in holes in the code base based on the information they get from the bounty program participants. As that happens, the payments will go up with the level of difficulty and everybody wins. The hackers get rewarded for their hard work and Uber builds a more secure platform.