Why Uber will pay up to $10,000 for hackers to break into its system

The company's 'bug bounty' is part of an emphasis on transparency and collaboration with friendly 'white hat' hackers.

|
Julio Cortez/AP/File
This Friday, Nov. 21, 2014 file photo taken in Newark, N.J., shows smart phones displaying Uber car availability in New York. On Tuesday, the ride-hailing company launched a "bug bounty" program that promises up to $10,000 for information about vulnerabilities in the company's apps and websites and includes a "treasure map," showing where they might be found.

Uber became the latest firm to issue a cash bounty on tips about bugs in its system on Tuesday, when the ride hailing company said it would release a technical “treasure map” of its computer systems to a select group of hackers.

The company’s “bug bounty” begins on May 1st, and would offer independent security researchers up to $10,000 for finding a range of flaws in its system that could lead to the exposure of personal information about the company’s passengers and drivers.

Uber is far from the first company to launch such an effort — and it has partnered with the independent firm HackerOne, which specializes in coordinating bug bounties — but the release of its "treasure map,” may mark a new level of transparency for the company. 

“We’re saying ‘here are the different portions of the website, the mobile apps and how they work, and the technologies underneath them. If I were a security researcher, here’s where I’d look,” Collin Greene, security engineering manager at Uber, told Wired. He previously oversaw a similar program at Facebook.

The map provides details of the company’s software, points to the types of data that might be exposed inadvertently and then suggests what types of flaws are most likely to be found.

Uber has previously guarded information about its code, with a team of researchers from Northeastern University recently describing the algorithm that makes its controversial “surge pricing” work as a "black box.”

The company says it is only revealing information that is already public. The treasure map covers its websites and apps for drivers and riders, not other aspects of its technology, such as drivers' cars.

But its bug bounty, an effort launched in the past by large tech firms such as Apple and Microsoft, sometimes in private contests, also points to a larger shift in how independent security researchers are perceived — as potential assets for their knowledge and skills, rather than shadowy agents or potential criminals.

“That's a level of confidence that you have not seen too many closed-source software companies take in the past, and I'm really hopeful that others will follow suit," Alex Rice, chief technology officer at HackerOne, which is managing the program, told Reuters.

Uber has been making a series of efforts to root out vulnerabilities — perhaps ahead of a future move to fully self-driving cars — including conducting private tests for bug bounties. Last year, the company hired Charlie Miller and Chris Valasek, two independent hackers who had successfully cut the controls in several car models, including a remote takeover of a 2014 Jeep Cherokee.

Smaller flaws could yield only a few thousand dollars, but a bug considered “critical” — causing “full account takeover,” or exposing sensitive data such as social security or bank account numbers — would net $10,000.

The hackers will have 90 days to identify bugs in Uber’s system, but need to find at least four bugs before they can start receiving the bounties.

If a researcher finds a fifth bug, the company will offer them a bonus of 10 percent of the average value of the previous four bugs as a “loyalty program,” to encourage “white hat” hackers to continue identifying vulnerabilities in the company’s systems.

After it's been fixed, the company would also be open to publicly disclosing a bug identified by an independent hackers

For Uber, the bug bounty program could also help ensure a lasting relationship with highly-skilled independent security researchers. “We believe a more transparent program will be a more successful [one],” Mr. Greene told Wired.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Why Uber will pay up to $10,000 for hackers to break into its system
Read this article in
https://www.csmonitor.com/Technology/2016/0322/Why-Uber-will-pay-up-to-10-000-for-hackers-to-break-into-its-system
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe