Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Announces Bug Bounty Program, To Pay Up To $10,000 To Friendly Hackers (wired.com)

Posted by msmash on from the hackers-for-hire dept.

An anonymous reader writes about Uber's newly announced bug bounty program: Taxi aggregator service says it is willing to pay security researchers thousands of dollars if they are able to find vulnerabilities in its apps and websites. The company says that it will reward security researchers who are able to deface its homepage or expose users' email addresses a sum of $5,000. A sophisticated breach, which presumably allows an attacker to get hold of Uber accounts, or facilitate execution of malicious code on an Uber production server will grant him or her up to $10,000. From a TechCrunch report, "Uber's program has several unique components. First of all, it's trying to be as direct as possible with researchers when it comes to ground rules and payments. Greene says one of the issues that researchers/hackers have with these programs is that the payment system can be capricious. Someone finds a bug and a negotiation commences over how valuable it its. He says that this program is going to be crystal clear about what Uber will pay, offering up to $10,000 for a critical bug. Secondly, the company wants to reward loyal researchers, who report lots of bugs, so they are setting up a loyalty program."

18 comments

  1. Hmm by liqu1d · · Score: 1

    Pretty sure there would be people paying more to find such bugs on ubers platform.

    1. Re:Hmm by WarJolt · · Score: 1

      I agree, but it's hard to justify security to upper management until they see a threat. Your best bet is to find two vulnerabilities. Exploit one anonymously, watch them raise the bounty and collect on the second.

    2. Re:Hmm by Swave+An+deBwoner · · Score: 1

      You could call that "Surge Pricing". Sounds catchy. They might go for it.

  2. Hacking Uber != Hacking cars used by Uber drivers! by phayes · · Score: 2

    There is absolutely no relation relation between the two. It's "High time" that /. admins edit submissions to remove editorial junk like this.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  3. How much for...? by OakDragon · · Score: 1

    How much of a bounty for drivers that lose their shit and shoot people?

    --
    Dark Reflection
  4. Re:Hacking Uber != Hacking cars used by Uber drive by msmash · · Score: 1

    My bad. Thanks for pointing it out. Have removed that bit.

  5. Some more details by campuscodi · · Score: 1

    These are some restrictive rules: https://newsroom.uber.com/bug-...

  6. Re:At least Dice were payed for running Uber stori by Anonymous Coward · · Score: 0

    Two Wired stories on the frontpage by this new shitty mod manishs..... now we know who's paying who...

    This guy as been selecting only arstechnica and wired stories for days.... we all know where these sites are... people come to slashdot for more techy news stories, not mainstream crap

  7. Surge bug by Anonymous Coward · · Score: 0

    Uber seems to be surging a lot lately. Is there a bug in the software?

    But, I really love how you can have Uber and Lyft and just choose the best one at any time. Even the drivers do that!

  8. Yet all will be guilty by Anonymous Coward · · Score: 0

    because hackers

  9. Will it be fair? by elixircode · · Score: 1

    I hope that they're cooler than instagram when it comes to bug bounties. This person here found multiple security issues in instagram and instead of paying him they threatened him: http://www.exfiltrated.com/res...

  10. Better add a couple more zeros on the end by neo-mkrey · · Score: 1

    ...just sayin'

  11. Taxi aggregator? by Anonymous Coward · · Score: 0

    I thought they were a ride sharing app...

  12. To dumb! by Serpent6877 · · Score: 1

    They are either don't trust their engineering department and expect plenty of bugs to have to pay out for or to dumb not to realize that one critical bug released in the wild could cost them millions or tens of millions. Why not put a value on what the bug could of cost the company. Then pay out a percentage up to a maximum payout of a million or something. That would get people interested.

    --
    When all else fails, hire me!
  13. Enough for living? by Vadim+Makarov · · Score: 1

    Can you make a living selling bugs to bounty programs? Or does this come as an occasional perk on top of a salaried IT job?

    --
    17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
  14. Re:Hacking Uber != Hacking cars used by Uber drive by phayes · · Score: 1

    (I only noticed that you replied when seeing that my comment had been modded)
    Thank you for noting that the sentence was irrelevant, removing it & then replying to inform me. These are all things that /. hadn't been doing much of recently and are much appreciated.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue