February 19, 2024

Editors' notes

This article has been reviewed according to Science X's editorial process and policies. Editors have highlighted the following attributes while ensuring the content's credibility:

fact-checked

trusted source

proofread

Uber kicks off public bug bounty program

by University of Sharjah

Uber has joined the likes of Google, Microsoft and Facebook to set up an official bug bounty program, inviting researchers to find and report vulnerabilties in the ride-sharing company's websites and mobile applications.

Uber kicks off public bug bounty program

The program is run through San Franciso-based HackerOne, and pays out US$3000 for medium-severity issues such as reflected cross-scripting flaws, cross-site request forgery (XSS and CSRF respectively) flaws, access control and account validation bypasses, and similar vulnerabilties.

Bug hunters who find more significant problems - such as instances where sensitive customer and driver informaton could be leaked - will reap rewards of up to US$5000.

Finding remote code execution holes on Uber's production servers, personally identifiable information leaks for individuals, account takeovers and access to source code are rated as critical issues by Uber, meaning the payout surges to US$10,000.

Uber won't, however, pay rewards for any fraud issues.

The bug bounty program follows a private beta trial that over 200 security researchers took part in, Uber said. That program discovered around 100 bugs which have now been fixed.

Several caveats are included in Uber's bug bounty program, which starts its first reward season May 1 United States time, and runs for 90 days.

Researchers will only be eligible for rewards once they've found four issues that Uber accepts are genuine bugs; if they find a further fifth vulnerability within the 90-day bug hunting season, Uber will pay out an additional bonus. This will amount to ten percent of the average payouts for all other issues discovered in the 90-day season.

High-quality vulnerability submissions will be publicly disclosed.

Uber has also set up a "treasure map" for researchers that outline the company's different online services, and with tips on how to find bugs.

The company's chief security and chief information security officers Joe Sullivan and John Flynn said the bug bounty program will help make Uber's code as secure as possible, and provide an incentive for its community to find subtle bugs.

Explore further

House Republican leader: 'health plan will require monthly abortion premium'
66 shares

Feedback to editors

Dolphins' Tagovailoa is a playful, willing backup
Dolphins' Tagovailoa is a playful, willing backup

2024-07-09 19:24

SA starts testing smartphone payments on public transport
SA starts testing smartphone payments on public transport

2024-07-09 18:49

Meet Telstra's new CISO
Meet Telstra's new CISO

2024-07-09 18:43

Opposition grows against EU's proposed ISP upload filtering
Opposition grows against EU's proposed ISP upload filtering

2024-07-09 18:34

Justin Thomas cares more about winning the Ryder Cup than whether he should be on the US team
Justin Thomas cares more about winning the Ryder Cup than whether he should be on the US team

2024-07-09 18:30

40% of people would ditch social media to guarantee data privacy, study says
40% of people would ditch social media to guarantee data privacy, study says

2024-07-09 18:18

Apex Legends Season 2 begins on 2 July 2019
Apex Legends Season 2 begins on 2 July 2019

2024-07-09 18:08

Challenger ISPs scrap for tiny NBN market share
Challenger ISPs scrap for tiny NBN market share

2024-07-09 17:54

Hospital chaplain is brining Christ to coronavirus patients
Hospital chaplain is brining Christ to coronavirus patients

2024-07-09 17:18

Wari customers can now request financial services on WhatsApp
Wari customers can now request financial services on WhatsApp

2024-07-09 16:59

Load comments (0)