In May, Uber will hold a bug bounty, in which "security researchers" can earn money for finding flaws in Uber's system.
Starting May 1st, security researchers will have 90 days to identify bugs in Uber's system. Those who find four or more bugs will get a bonus that's the equivalent of 10 percent of the average of the previous four bugs. Uber says this will serve as a "loyalty program" to encourage hackers to keep searching for bugs. And a "treasure map" will be provided by Uber to help researchers navigate the company's code.
There are three levels of bugs, each of which pays an escalating amount: "medium" bugs, such as being able to change a driver's picture or any vulnerability which allows the bulk lookup of user universally unique identifiers, pay $3,000; "significant" bugs, like missing authorization checks leading to the exposure of email addresses, date of birth, names, phone numbers, etc., pay $5,000; and "critical" bugs, like "full account takeover" or anything that exposes personal data like social security numbers, credit card numbers, bank account numbers, and driver license images, will pay hackers $10,000.
"We believe that bug bounty programs are an important part of the modern software development lifecycle. Our unique program combines healthy rewards, a loyalty program, and a ‘treasure map’ of information to incentivize our community to find even the most subtle bugs as we work together to protect users," said John “Four” Flynn, Uber Chief Information Security Officer.