After a year of making headlines for the wrong reasons, Uber's security team is taking a step in the right direction, inviting friendly hackers to a hack its website and apps, and help the company make them more secure.
The cab-hailing giant promised rewards of up to $10,000 for security researchers as part of a bug bounty program that also gives bug hunters a "treasure map" of Uber's apps and websites to help them find more bugs.
The program was launched on Tuesday, after more than 10 months of a private test-run, where 200 security researchers found almost 100 bugs, according to the company. With this announcement, Uber joins dozens of tech companies who offer independent security researchers rewards for reporting bugs and issues in their own products and services.
Uber is telling hackers: "if I was you, I would look here and I would look for these sort of bugs."
The bug bounty comes after a rocky year for Uber's security team. In the last twelve months, dark web vendors have seemingly sold the login credentials of thousands of Uber users for $1 or even 40 cents each. It is unclear how many of those purchased accounts were then used to order illegitimate rides, but dozens of users all over the world reported fraudulent trips on their accounts. Uber's usual response after reports of new hacked accounts was to dismiss them because the compromises were not part of a data breach. The victims likely used easy-to-guess passwords, or passwords that had been compromised and circulated online as part of a previous data breach at another service or website.
At times, however, the company responded to these incidents with even worse security. And despite all these hacked accounts, Uber didn't realize that a bug allowed hackers to maintain access to other people's accounts even after the victim's changed their passwords—a bug Motherboard reported with the help of a reader (disclosure: neither I, nor our reader, got a reward).
But there were data breaches where Uber was at fault too. The company accidentally exposed hundreds of drivers licenses and social security numbers online, as well as some users' private data.
Now, the company hopes outside hackers can help them avoid these mistakes, and make Uber more secure.
Collin Greene, Uber's security engineering manager, said that the bug bounty program is a logical step for Uber, after the company ramped up its security team, starting with the hire of former Facebook's head of security Joe Sullivan. In the last few months, Uber's in-house team of hackers has been testing their own products and developed their own tools to find and fix bugs, Greene said. But now it's time to open it up to outside hackers.
"The bug bounty is not the cherry on top, but the final step," Greene, who headed the project to create the company's bug bounty program, told Motherboard in a phone interview. "It encourages people to peek and prod and responsibly disclose security issues that all the other methods might have missed."
Uber is even giving outside hackers what it calls a "treasure map" to go find bugs.
With that goal in mind, Uber is even giving outside hackers what it calls a "treasure map" to go find bugs. This is essentially a guide of all the companies' websites, apps, and systems, with information on what software runs beneath their hoods, and what type of bugs these services could have, according to Greene, who created and managed Facebook's own program for ethical hackers before joining Uber last year.
The idea is to save researchers the time to figure out all those things on their own, and focus on finding bugs. In other words, it's like telling them "hey, if I was you, I would look here and I would look for these sort of bugs," Greene told me.
This is a completely novel approach, according to Alex Rice, the chief technology officer at HackerOne, a company that helps companies connect with security researchers who find bugs in their websites and services. Rice praised the "unprecedented" level of transparency in Uber's bug bounty program. As part of this approach, Uber promises to publicly disclose the best submissions, and provide independent hackers with access to new features at the same time as Uber employees get them.
The company is also offering incentives for researchers to keep looking at its code, even after they find one bug. If a researcher finds five bugs within 90 days of what Uber calls a "loyalty season," they'll get a bonus payout of 10 percent, which will be based on the average of all the other payouts.
Correction: This article has been corrected to clarify that the bug bounty program was launched Tuesday, but the first loyalty season launches on May 1.