Uber Announces Bug Bounty Program, To Pay Up To $10,000 To Friendly Hackers

An anonymous reader writes about Uber's newly announced bug bounty program: Taxi aggregator service says it is willing to pay security researchers thousands of dollars if they are able to find vulnerabilities in its apps and websites. The company says that it will reward security researchers who are able to deface its homepage or expose users' email addresses a sum of $5,000. A sophisticated breach, which presumably allows an attacker to get hold of Uber accounts, or facilitate execution of malicious code on an Uber production server will grant him or her up to $10,000. From a TechCrunch report, "Uber's program has several unique components. First of all, it's trying to be as direct as possible with researchers when it comes to ground rules and payments. Greene says one of the issues that researchers/hackers have with these programs is that the payment system can be capricious. Someone finds a bug and a negotiation commences over how valuable it its. He says that this program is going to be crystal clear about what Uber will pay, offering up to $10,000 for a critical bug. Secondly, the company wants to reward loyal researchers, who report lots of bugs, so they are setting up a loyalty program."

Hmm

[liqu1d]

Pretty sure there would be people paying more to find such bugs on ubers platform.

Re:

[WarJolt]

I agree, but it's hard to justify security to upper management until they see a threat. Your best bet is to find two vulnerabilities. Exploit one anonymously, watch them raise the bounty and collect on the second.

Re:

[Swave An deBwoner]

You could call that "Surge Pricing". Sounds catchy. They might go for it.

Hacking Uber != Hacking cars used by Uber drivers!

[phayes]

There is absolutely no relation relation between the two. It's "High time" that /. admins edit submissions to remove editorial junk like this.

Re:

[msmash]

My bad. Thanks for pointing it out. Have removed that bit.

Re:

[phayes]

(I only noticed that you replied when seeing that my comment had been modded)
Thank you for noting that the sentence was irrelevant, removing it & then replying to inform me. These are all things that /. hadn't been doing much of recently and are much appreciated.

How much for...?

[OakDragon]

How much of a bounty for drivers that lose their shit and shoot people?

Some more details

[campuscodi]

These are some restrictive rules: https://newsroom.uber.com/bug-... [uber.com]

Will it be fair?

[elixircode]

I hope that they're cooler than instagram when it comes to bug bounties. This person here found multiple security issues in instagram and instead of paying him they threatened him: http://www.exfiltrated.com/res... [exfiltrated.com]

Better add a couple more zeros on the end

[neo-mkrey]

...just sayin'

To dumb!

[Serpent6877]

They are either don't trust their engineering department and expect plenty of bugs to have to pay out for or to dumb not to realize that one critical bug released in the wild could cost them millions or tens of millions. Why not put a value on what the bug could of cost the company. Then pay out a percentage up to a maximum payout of a million or something. That would get people interested.

Enough for living?

[Vadim Makarov]

Can you make a living selling bugs to bounty programs? Or does this come as an occasional perk on top of a salaried IT job?