Uber’s business model is based on a simple notion: Why employ drivers full time when you can hire them more efficiently as freelancers? It’s no surprise, then, that the company’s come to the same conclusion on cybersecurity, recruiting an army of gig-economy hackers who are paid by the exploit instead of by the hour.
On Tuesday, Uber announced that it’s officially launching a “bug bounty” program that will pay independent security researchers thousands of dollars in rewards for finding hackable bugs in its apps and websites. That makes the ride-sharing firm the latest tech giant to adopt the strategy of crowdsourcing the auditing of its code to shore it up against less benevolent hackers. Finding a bug that could deface Uber’s homepage or expose users’ email addresses earns $5,000, for instance, while one that could fully take over Uber accounts or run malicious code on an Uber production server can earn as much as $10,000.
But Uber, which is launching its program with the help of the bug-bounty-focused firm HackerOne, has gone a step further than older programs run by Google, Facebook and Microsoft: It’s trying out a bug bounty “loyalty system” that gives hackers bonuses for repeated bug discoveries in Uber’s platform. It’s also promised to release a “treasure map” for bug bounty hunters designed to guide them toward potential vulnerabilities in the site—mapping out the company’s code to make bug hunting as efficient as possible.
The idea, says Uber head of product security Collin Greene, is to incentivize security researchers to “go deep” in Uber’s code, instead of flitting between different companies’ bug bounty programs searching for low-hanging fruit. And the “treasure map” is designed to share with external hackers the same systems architecture information that internal staff have access to, a move that can save bug hunters weeks of recon time and help them start uncovering serious vulnerabilities in the company’s code. “We’re saying ‘here are the different portions of the website, the mobile apps and how they work, and the technologies underneath them. If I were a security researcher, here’s where I’d look,’” says Greene. “By giving them a treasure map of the structure of our system, they can spend their time instead looking for really subtle bugs.”
All of that might sound like a particularly aggressive invitation for hackers, and one that could backfire. But Uber argues that it’s not revealing anything in its treasure map that isn’t already public. And given that information is already discoverable by serious hackers incentivized by criminal profits, better to offer it to those seeking to inform the company of its vulnerabilities, too. “It’s in our best interest to make sure that the right people with the right intentions—security researchers who are going to look at our code and report bugs directly to Uber—have the information in an easy to understand way,” Greene says. “We believe a more transparent program will be a more successful [one].”
Uber’s bug bounty program isn’t as new as it sounds. It’s already paid hackers more than a hundred bug bounties in a private beta version of the program that it’s quietly run for a year. And it’s been on a security hiring spree that includes experienced bug bounty managers: Both Greene and Uber chief security officer Joe Sullivan were hired from Facebook, where Greene formerly oversaw a bug bounty program that’s paid out millions of dollars. In fact, Uber’s new features show just how far the culture of bug bounties has evolved: Major tech firms are now competing for independent hackers’ attention—and not just with money, but in Uber’s case, by making the process of bug discovery more efficient. “We want to make this a bug bounty program that researchers adore,” says Greene.
One step Uber has yet to take, however, is to extend its bounties to its actual cars. For now, the program only applies to bugs found in its websites and apps for riders and drivers. That’s a predictable limitation, of course, given that Uber doesn’t actually own drivers’ vehicles. But Uber got a taste of automotive cybersecurity flaws over the summer when a group of researchers at the University of California at San Diego found a vulnerability in a certain Internet-connected insurance dongle offered to Uber drivers; the dongle’s Internet connection allowed the researchers to access vehicles’ internal CAN networks, turning on windshield wipers or cutting their brakes.
Other companies are beginning to experiment with automotive bug bounties. Tesla’s bounty program includes hackable flaws in its vehicles, and GM recently launched a vulnerability disclosure program, albeit one without monetary rewards. But that’s not to say Uber isn’t taking the risk of vehicle cybersecurity seriously, too: in August it hired a pair of hackers who remotely hacked a Jeep over the Internet (at one point while I was driving it on a highway) to show they could cut its transmission and brakes. It may not be long before Uber pays out bounties for hacking not only the computers that run its websites, but the ones on wheels, too.