Uber Offers “Treasure Map” For Friendly Hackers To Locate Bugs

Uber has issued a fresh invite for friendly hackers to find vulnerabilities with its computer system.

To aid the so called “white hat” hackers, Uber released a technical or “treasure” map of its computer and communications systems, and said it will pay out up to $10,000 (£7,075) for identifying critical flaws.

Treasure Map

Uber has had a bug bounty scheme in place since last year, and said that over 200 security researchers are involved. So far, these researchers have located nearly 100 bugs, all of which have been patched.

The taxi firm said that it has also created a first of its kind “loyalty reward program”, designed to encourage members of the security community to search for flaws.

The first such reward program season will be begin on 1 May and it will last 90 days. To qualify for the program researchers have to have already found four genuine bugs. If they locate a fifth flaw with the 90 day period, they will gain an additional bonus payment equivalent to 10 percent of the average payouts for all the other issues found in that session.

“Even with a team of highly-qualified and well trained security experts, you need to be constantly on the look-out for ways to improve,” said Joe Sullivan, Uber’s Chief Security Officer. “This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber.”

And to give researchers every possible assistance, Uber created a “treasure map” to show security researchers how to find the different classes of bugs across its codebase. It promises to publicly disclose and highlight the highest-quality submissions (with permission from the hacker), and will give access to new features at the same time they are rolled out to Uber employees.

“We believe that bug bounty programs are an important part of the modern software development lifecycle,” said John Flynn, Uber Chief Information Security Officer. “Our unique program combines healthy rewards, a loyalty program, and a ‘treasure map’ of information to incentivize our community to find even the most subtle bugs as we work together to protect users.”

Poor Security?

Uber’s bug bounty program indicates a level of confidence in its systems, but also a realisation that its corporate security can still be improved.

Yet Uber has not always been so secure.

Last October it suffered an embarrassing data breach after details of hundreds of its drivers were leaked online. Leaked data included social security numbers, pictures of driver licenses, and vehicle registration numbers. It was thought that as many as 647 drivers across the US had their details accidentally revealed by the taxi company.

And in March 2015, Uber admitted that it had waited five months to report a separate data breach which saw a database breach leading to the theft of the names and licence numbers of about 50,000 drivers.

It was later revealed that the security key used to carry out this theft was stored in a publicly accessible repository on code hosting service GitHub.

Other incidents include Uber’s lost-and-found records being briefly published. Prior to that it emerged that an Uber executive had used the company’s tracking tools to monitor the movements of a journalist without her permission.

Are you a security pro? Try our quiz!