Last year we launched a private, beta bug bounty program for over 200 security researchers. They found nearly 100 bugs — all of which have been fixed, helping to improve security at Uber. So today we’re excited to announce our official bug bounty program. Payouts will go up to $10,000 for critical issues. We’ve also created a first of its kind loyalty reward program that is designed to encourage members of the security community to dig deep, helping Uber to deal with even the most subtle bugs.
The first reward program season will be begin on May 1 and it will last 90 days.
Bounty hunters will be eligible for the reward program once they have found four issues that have been accepted by Uber as genuine bugs.
If they find a fifth issue within the 90 day session, they will get an additional, bonus payout. This will be equivalent to 10% of the average payouts for all the other issues found in that session.
The same rules will apply for any additional bugs reported within that 90 day session.
In addition, we’re focused on being as transparent as possible so that researchers have access to the right information, right from the start.
Uber has created a treasure map guide to show security researchers how to find the different classes of bugs across our codebase. This will be regularly updated.
We will publicly disclose and highlight the highest-quality submissions (with the permission of the researcher, of course) so everyone can see the best examples of the kinds of issues that get rewarded.
Whenever feasible, we will provide researchers with access to new features at the same time that we’re rolling them out to Uber employees.
We believe that bug bounty programs are an important part of the modern software development lifecycle. Our unique program combines healthy rewards, a loyalty program, and a ‘treasure map’ of information to incentivize our community to find even the most subtle bugs as we work together to protect users.
– John “Four” Flynn, Uber Chief Information Security Officer