Uber’s bug bounty program emerged from private beta mode yesterday, which it used as a feedback forum for participants in order to develop the public program.
“This was pretty unique in its approach,” said HackerOne CTO Alex Rice. Uber’s program is built on the HackerOne platform, and Uber announced that the program’s biggest payouts for critical issues will reach $10,000.
The most consistent piece of feedback derived from the private program, Rice said, was that white hat participants wanted transparency with Uber.
“The recurring theme was that researchers would be more effective if they were treated like internal security team members, rather than be kept arm’s length as we see with most bug bounty programs.”
The public program has several unique facets to it, including the public availability of what Uber is calling a treasure map, a published security guide that describes internal Uber systems, applications and infrastructure, and what types of vulnerabilities each might hold and thus would be in scope for a bounty.
“It’s a guide to security testing,” Rice said. “You normally wouldn’t have something like this unless you were doing security onboard training at the company. This is highly effective for external researchers to have so that they can dive in. Most bug bounty participants spend significant time getting the lay of the land, understanding what the architecture and infrastructure might look like and where to look.”
The treasure map includes a number of public-facing services Uber would like participants to study. Some of the services include cn.uber.com, a service that communicates with Uber’s mobile apps, which is described as the largest attack surface of all of Uber’s services, and vault.uber.com, a service where partners enter banking and identity information in order to get paid and be screened for employment.
Uber business, partner, developer and help sites are also among those in scope, and the program hopes participants will ferret out everything from typical application vulnerabilities, to access control bugs, information leaks and other flaws that could expose user or business information. Uber has published a list of bugs in scope.
Uber has also instituted a loyalty program where it will pay bonuses to participants that are more engaged than others. For example, the first instance of the program begins May 1 and last 90 days. During that time, participants who find five or more bugs will be paid an equivalent of 10 percent of the average payouts of the first four payouts and will continue to earn bonuses for additional vulnerabilities found during the 90-day session. Rice said this the first such loyalty program to run on the HackerOne platform.
“It starts to multiply quickly,” Rice said. “This is an extra monetary incentive for researchers to dig in.”
Uber also said it promises to disclose the highest-quality submissions and will provide researchers with access to new features as they’re rolled out to Uber employees.
“We love seeing this level of commitment to transparency and collaboration,” Rice said. “We believe it’s a way forward for security teams.”