Over the past decade, there’s been an explosion of bug bounty programs that pay hackers big cash rewards for finding vulnerabilities in applications and Web services. On Tuesday, ride-hailing service Uber became the latest company to embrace the trend with the unveiling of its own program.
In most respects, the program is similar to those offered by Google, Facebook, and so many other companies. It pays as much as $10,000 for the most critical vulnerabilities and provides a public forum to acknowledge the smarts of researchers who privately report bugs that no one inside the company was able to identify. Still, there are a few features that its designers say make it stand out from what’s been done so far.
For instance, the Uber bounty program comes with a technical treasure map of sorts that’s intended to help researchers find high-severity bugs quickly. The treasure map included with Tuesday’s announcement enumerates some of the company’s most security-sensitive subdomains, along with a brief description of types of assets that are at stake and the types of vulnerabilities that might threaten them. A description of partners.uber.com, for instance, describes it as the place driver partners visit to access private driver documents, payment statements, tax information, and other highly sensitive data.