Uber on Tuesday announced a bug bounty program that'll pay security researchers up to $10,000 in exchange for disclosing eligible vulnerabilities related to its various websites and apps. The transportation service provider is partnering with vulnerability disclosure company HackerOne on the project.
Uber said it launched the bug bounty program privately last year and invited more than 200 security researchers to participate. Collectively, the hackers-for-hire have found nearly 100 bugs to date – all of which have since been patched.
To avoid any confusion or misunderstanding, Uber has published a comprehensive list that outlines the specific types of vulnerabilities it is / isn't looking for as well as its policy on chaining bugs, privilege escalation, public disclosure, promo code / give-get fraud and microsites. They've even created a "treasure map" to help show researchers how to find different classes of bugs across its codebase.
Uber's bounty payouts range from $3,000 for "medium" issues like reflected cross-site scripting and rate limiting issues to $10,000 for critical issues. There's also a mid-tier reward for "significant" issues such as missing authorization checks that lead to the exposure of e-mail addresses, dates of birth, names, phone numbers and so on.
What's more, the company has created what it calls a first-of-its-kind loyalty reward program that will offer a bonus payout if more than four bugs are submitted and accepted by Uber within a 90-day "season." For the fifth (and each bug thereafter), researchers will receive a payout equivalent to 10 percent of the average of their rewards during the 90-day period.