14 DAY TRIAL // Uber has joined the ranks of the Silicon Valley tech elite after today it launched its official security bug bounty program via the HackerOne platform.
But the bug rewards program has a catch. While rewards can go up to $10,000 (€9,000) based on the complexity of each issue, the company has announced that security researchers will be eligible for the reward program once they have found at least four original (non-duplicate) security issues.
These have to be submitted during 90-day periods, called reward program seasons, with the first one starting on May 1. If during this 90-day period the researcher finds a fifth or sixth issue, Uber says it'll pay an additional bonus payout that's 10% of the average payouts for the first issues discovered during the current bug hunting season.
Uber ran a test bug bounty program last year
As the Uber team explains in its official announcement, the company took this step to create an official bug bounty program after it experimented with a closed beta bug rewards program last year.
Back then, the company invited 200 security researchers to dig deep into its frontend and backend software applications. The results didn't disappoint, and the researchers uncovered 100 security issues by the program's end.
According to Uber, if the program is successful, some trusted researchers could even be invited to test out new service features at the same time they're being rolled out to its employees.
Only certain bugs, in certain platforms, will be rewarded
To help security researchers start out, the company has even provided a so-called "treasure map" where it lists all the services eligible for the bug bounty program, also explaining what kind of bugs it wants researchers to dig around for and the technology each platform runs on.
Additionally, Uber's HackerOne listing also reveals what kind of bugs the company is expecting researchers to find, and what bugs are either off limit or are too trivial to reward.
For starters, researchers can start looking for the always-dangerous SQL Injection (SQLi) flaws, Server-side Remote Code Execution (RCE), Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), XML External Entity Attacks (XXE), Open Redirect vulnerabilities, and many other more.