Main image of article Uber's Bug Bounty Features a Twist
Security pros, take note: Uber is offering sizable bounties for bugs. The ride-sharing firm wants to ferret out vulnerabilities in thirteen categories, including SQL injection, cross-site scripting, and directory traversal issues. As with other firms that have offered similar bounties over the past few years, it does not want a crowd to attempt phishing or denial-of-service attacks, or tackle “minor” bugs such as missing autocomplete attributes. Sites within the scope of this program include https://.uber.com, https://.dev.uber.com, http://petition.uber.com, and the various rider and partner apps for Apple iOS and Google Android. Find a critical issue such as remote code execution on a production server, or anything that exposes personal information, and Uber will pay out a cool $10,000. Significant issues, including missing authorization checks that lead to the exposure of personal information, will net $5,000. Then there are the medium issues—cross-site request forgery, access control vulnerabilities, rate-limiting problems—that will earn $3,000. Uber is also putting its own spin on bug bounties with a “loyalty reward program” designed to encourage security pros to dig up multiple vulnerabilities. Once an individual has nailed four bugs, discovering additional issues will trigger a bonus payout “equivalent to 10 percent of the average payouts for all the other issues found in that session,” according to a corporate blog posting. Last but certainly not least, Uber has instituted a regularly updated “treasure map” that details Uber’s online properties and areas of potential vulnerability. For example, riders.uber.com includes this note: “All web vulnerabilities are a concern as well as any bug that could result in disclosure of arbitrary Uber rider information.” The purpose is to help guide security researchers towards bugs. Considering its reliance on crowds (of cars and freelancing drivers) as the core of its business model, it’s no surprise that Uber would eventually rely on crowds (of tech pros) to help protect its tech backbone.