In most respects, the program is similar to those offered by Google, Facebook, and so many other companies. It pays as much as $10,000 for the most critical vulnerabilities and provides a public forum to acknowledge the smarts of researchers who privately report bugs that no one inside the company was able to identify. Still, there are a few features that its designers say make it stand out from what’s been done so far.
For instance, the Uber bounty program comes with a technical treasure map of sorts that’s intended to help researchers find high-severity bugs quickly. The treasure map included with Tuesday’s announcement enumerates some of the company’s most security-sensitive subdomains, along with a brief description of types of assets that are at stake and the types of vulnerabilities that might threaten them. A description of partners.uber.com, for instance, describes it as the place driver partners visit to access private driver documents, payment statements, tax information, and other highly sensitive data.
“Access control vulnerabilities are a major concern, so if you access a driver partner’s private information, you can expect a large reward,” the bug hunter’s guide states. “Any Web vulnerability that could allow the hijacking of a user’s account is also considered high risk.” The guide provides details about cn.uber.com, the subdomain that iOS and Android apps access. “Tons of functionality is exposed here—everything from finding nearby drivers to splitting trips with your friends,” Uber officials wrote. “This API exposes the largest attack surface of any service here at Uber.”
The write-up goes on to say: “The best way to hunt for bugs here is to use your own token via the X-Uber-Token header, use the UUID of another trip/user/resource, and see if the request succeeds (basically, perform access control testing). Keep in mind that you should only ever perform this testing against accounts you own (failure to do so could result in removal from the program, which nobody wants!).”
What’s going on?
Uber Security Engineering Manager Collin Greene said the technical roadmap is designed to address one of the bigger complaints many researchers have with bug bounty programs, including with the one Facebook put in place when he worked there.
“That was probably the No. 1 most common request,” he told Ars. “What’s going on? What kinds of things are you seeing internally? When we think of the bug bounty community, they’re doing a lot of the same work we’re doing internally. We want to give them all the same information we have.”
Uber is also hoping to make its new bounty program stand out in another way—with a loyalty program aimed at bringing in follow-on reports. In much the way a punch card aims to pull in repeat customers with a free cup of coffee for every 10 cups they buy, the loyalty program will give a 10-percent bonus for five or more reports made within a 90-day window.
“The really good researchers tend to cluster on certain programs,” Greene said. “We really want to get people focused on Uber and Sticking with Uber when they look for security vulnerabilities.”
Although precise numbers are hard to come by, there are at least 400 organizations that are known to sponsor some sort of bug bounty program, according to HackerOne, a company that helps hardware, software developers, manufacturers, and service providers develop and maintain them. The first organization known to have paid cash rewards for private security disclosures was Netscape Communications with its Netscape Bugs Bounty program announced in 1995. Earlier this month, the US Military joined the fray with a program it calls Hack the Pentagon. The programs have become a key part of many groups’ security regimens by harnessing the expertise and good will of hackers who otherwise might let the flaws go unreported—or worse, sell them to people with nefarious motives.
“Bug bounties are rooted in the reality that there is no such thing as bulletproof security in 2016,” HackerOne CTO and cofounder Alex Rice told Ars. “When an organization has reached a level of maturity that other forms of security investment begin producing diminishing returns, a bug bounty program provides immense value through collaboration with the security community. In exchange for a bounty, organizations learn about software vulnerabilities that would have otherwise gone undetected.”
Tuesday’s unveiling by Uber comes about a year after the startup launched the program in private. Over that time, about 200 security engineers have reported about 100 vulnerabilities. The program comes a little more than a year after company officials admitted a database storing tax details and other personal information belonging to 50,000 drivers was illegally accessed by one or more unknown individuals. Court documents later revealed that engineers had stored a security key unlocking the database on a publicly accessible GitHub page in what can only be described as a blunder of epic proportions.
Over the past 18 months, Uber has been assembling top-flight talent to fill out its security team. In April 2015, Joe Sullivan, Facebook’s chief security officer who is largely credited with helping the social network develop one of the industry’s best-organized security teams, took a job with Uber, where he holds the same title. In July, Uber lured Facebook Information Security Director John “Four” Flynn. A month later, the company hired Charlie Miller and Chris Valasek, the research duo who last year demonstrated how to shut down a 2014 Jeep Cherokee as it was being driven on the interstate by Wired reporter Andy Greenberg.