news image

The other side of hacking: Uber is launching its 1st Bug Bounty Program

28 Mar 2016

The California-based urban mobility disruptor, Uber announces its 1st bug bounty hunt starting on May, 1st.

Uber, one of the most valuable start-ups in recent years, joins the Silicon Valley Recruitment Game by initiating a “white hat” challenge to identify soft spots in their code. As of May, 1st hackers can compete in a game of pinpointing major flaws in Uber’s code. The challenge will last for 90 days where researchers and security engineers will be provided with a treasure map and loyalty program bonuses. Reporting small bugs will earn hackers up to $ 3000, while the prize for identifying major issues can reach $ 10,000 plus additional interest for continuous work.  



The Rules

Uber has been very clear about the requirements and rewards in their first bug bounty program.  In order to qualify for a reward, engineers have to identify at least 4 problems with security. Those issues are classified as:


  • Critical (exposure of personal data, payment information or vulnerabilities of employee accounts);
  • Significant (flaws in authorization and exposure of personal contact details to third parties)
  • Medium (bulk look-up of UUIDs or ability to change driver picture).


The rewards for the three levels of issues will be $10,000, $5000 and $3000 respectively. Additionally, the best researchers will have the opportunity to receive publicity and access to the latest Uber features.



The big picture


All apps require users to input some personal information which makes security a top priority for businesses wishing to go digital. Even having an A-team of developers, testers and engineers may prove to be insufficient at times as there is always the risk of sensitive data going in the wrong hands (before saying more – we still remember those Jenifer Lawrence selfies).


Bug bounty hunts are not new to the industry. Tech giants from the Silicon Valley have been exploring such opportunities for years, some of which provide a financial reward, others rely on fame as a form of recognition. The question is what has changed now? We would like to think that it is the tone, i.e. hacking has gone mainstream as smaller companies are embarking on the bug bounty journey. The benefits of such decision are numerous starting with cost-effectiveness, having in mind the results generated.  It is one thing having a small team of testers, it is completely different when hundreds of researchers are testing the vulnerability of your software. It adds one more level of security that, if affordable, should not be underestimated.  In addition, a change of perspective is, after all, refreshing. Sometimes working on a product for too long can result in some loss of criticism and, in such cases, an outsider’s view might prove helpful. Helpful as in  more than 100 found issues in last years’ private bounty search organized by Uber. 


One thing is sure, hacking is definitely not a taboo for companies anymore.