Uber Offers Hackers a $10,000 Reward to Find Bugs in Its App

Uber is an obvious proponent of the gig-economy: Using freelancers has helped the company become one of the most popular methods of transportation. And today, Uber announced that it is pushing its preference for freelancers in the security sector of their company as well.

Uber has put up to the public a “bug bounty” program that offers white-hat hackers money by the project for finding even the smallest bugs in the company’s software. And to build up excitement, they’ve attached an eye-catching payout of up to $10,000.

“Even with a team of highly-qualified and well-trained security experts, you need to be constantly on the look-out for ways to improve,” Joe Sullivan, chief security officer, said in a statement. “This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber.”

To do so, Uber partnered with HackerOne, a company that is “rewarding friendly hackers who contribute to a more secure internet.” HackerOne has a board of advisors ranging from Tesla’s head of security Chris Evans to Google security engineer Kostya Kortchinsky.

Uber is attempting to retain hackers like an airline company retains flyers with a “first of its kind loyalty reward program.” Starting on May 1, bug bounty hunters have 90 days to find more than four Uber-certified bugs. Starting with the fifth bug, Uber will tack on an additional 10 percent bonus payout for each new bug.

The company has promised a decent amount of transparency to help hackers get to the root of problems faster with a “treasure map.” The treasure map attempts to live up to its name by listing Uber layouts and offering various tips on getting deep into the company to find even the most subtle bugs that might be lurking in the programming.

While the treasure map might be exciting for the people looking to cash in on the company’s dime, it also might be exciting for black-hat hackers with more nefarious intentions. But Uber insists that it isn’t giving up any information that isn’t already available to the public, it is just putting that information out in the open for everyone to find it more easily. In addition to the app itself, the treasure map explains and tells what to look for on the riders, developer, partners, business, and vault pages. That last one in particular might catch some eyes, as it is where bank information and national ID numbers are stored, sensitive information that Uber had some trouble keeping private last year.

During last year’s private version of the program, more than 200 security researchers found almost 100 bugs.

If Uber sees that type of success from the public (and hackers decide not to use the treasure map for more than its intended purpose), it just might be able to avoid any more embarrassing security issues.

We’ll keep you posted on what bugs these hackers expose.

Correction (3/29/16): In the original version of this article, it was stated that HackerOne was a non-profit corporation, when, in fact, it is a for profit company. The article as been edited to reflect that.