Wednesday, March 30, 2016

Uber Bug Bounty Program

Recently the popular driving service Uber announced a bug bounty program that would award hackers to find exploits within the companies services. Hackers are paid by the amount of exploits they are able to find rather than by an normal pay basis. The amount that they receive varies based on how threatening the exploit is to the company. If the exploit reveals a users private information it will likely result in half the amount that would be awarded to one that could run malicious server code. The starting this program Uber is making the site more safe as its likely most bugs will be fixed before it gets in the hands of malicious hackers not interest in the monetary value.

I found this article to be very interesting with some points worth mentioning. The first detail that was surprising was the fact that a lot of companies offer the same bounty programs. Companies like Google, Facebook, and Microsoft offer very similar programs that award cash to hackers that can find bugs within their products. I feel that this is a great move for these tech giants as its a deterrent for hackers to sell exploits to each other. Most hackers sell exploits to those who might seek to gain monetary gain from using them. For example, most groups would pay money for an exploit that revealed users credit card numbers. 

The article also revealed that its not the first time the company has implemented a bug bounty program. In the early days of the Uber app this tactic was used to improve the security of the application before launch. More interestingly the degree to how harmful these exploits are is quite worrisome. When you unleash a ridiculous amount of hackers against your company they're sure to find some harmful bugs. Researches at the University of California found a way to control the breaks of cars and other functions of the vehicle like the windshield wipers with a dongle provided by the Uber company. Again, this is an extreme case but it certainly proves that having this program is also potentially a bad thing in some sense.

Some organizations like the Energy and Commerce Committee are a potential setback to these bounty programs as they feel that it should be illegal for this kind of research to be going on. This comes after a security threat that affected 1.4 million vehicles allowing unauthorized remote control access to critical functionality. This includes breaking, steering and the transmission. Uber proves that if well organized and maintained the bounty programs are very beneficial to the company and its users.

I feel that this article could do better in explaining the potential risks of having this program in place as it talks extensively about the benefits. Im also curious on the actual statistics of this program and how many exploits are found in a year. I wonder what happens when two users report the same exploit and who receives the reward?

http://www.wired.com/2016/03/uber-bug-bounties/

http://www.wired.com/2015/10/terrell-mcsweeny-white-hat-car-hacking-makes-cars-safer/

8 comments:

  1. The new bug bounty program sounds, in my opinion, like a necessary step. Because personal information, like credit card information and personal location, are part of the app, the potential hackers would be unsafe and costly. With companies as big as Target having their customer's credit card information leaked, it's safe to assume that any company can be vulnerable to hackers.

    While I understand that the Energy and Commerce Committee sees flaws in the program, I believe that necessary steps can be taken to eradicate the problems. For example, finding credible computer scientists to do the hacking. This would ensure that handing them all of Uber's information is safe. The company could also put in the Terms and Conditions that hackers have access to the information in order to let consumers know before they use the product.

    ReplyDelete
  2. Hello Nick,

    I wanted to start by saying, great blog post. I really like the topic that you chose. I think that the article about Uber is very appropriate because in today's day-an-age Uber is used in high demand by college students. But, I think that the Uber app is very unsecure and that is a major flaw of Uber. The risk of customer's credit card/personal information being vulnerable to hackers is a big risk to all companies. I agree that some steps need to be taken in-order to ensure customers that their information is safe and out of hands of hackers.

    ReplyDelete
  3. I found this article and your response to it very interesting, particularly because we have just learned about ethics and privacy in class, as well as what hackers do with people's data. I also find your first major detail of the article, that other companies such as Google, Facebook, and Microsoft using this same type of bug bounty program, very interesting. Because Uber is investing in this program already being used by major businesses, it shows that Uber is stepping up in the business world. Also, the use of this by these other major companies shows that the program is obviously a good one and worth having, meaning it will most likely prove very helpful for Uber. I see that you have explained briefly some of the risks that having this bug bounty program can bring to the company, but I wish there was more detail about the actual risks and how it will effect not only Uber but the people who use this app. I also agree with Victoria and support her idea that investing in computer scientists or IT specialists to study and collect this data will be helpful.

    ReplyDelete
  4. I found this article to be very interesting and relevant in comparison to what we are currently discussing in class in regards to online security. Uber is a huge business that has revolutionized the taxi and transportation industry, however, especially in recent news it has been under fire for many of its security flaws. It is also interesting to note that the company uses hackers in order to find bugs in their system, which is a different perspective from what we have discussed in class in that hacking can be used to help a company instead of contributing as a negative and harmful factor against the company. I agree that the bug bounty program is an important asset in improving Uber and making it a safer and more secure website and business as a whole.

    ReplyDelete
  5. Hey Nick,
    I found this article really interesting. I have never heard of this hacker work before and it was a new idea for me. I think, like you, it's a great idea for these companies to hire these hackers to fix bugs and prevent malicious hackers from stealing information. Especially with Uber, a lot of your personal information is linked to your account, as well as credit card information. These hackers can make the site safer, which is also appealing to customers. Also, I was wondering too about the potential risks of this program and how they ensure that the hackers are doing their job correctly. And how many bugs do they actually find in the program? That would be an interesting insight.

    ReplyDelete
  6. Hey Nick,
    I found this article really interesting. I have never heard of this hacker work before and it was a new idea for me. I think, like you, it's a great idea for these companies to hire these hackers to fix bugs and prevent malicious hackers from stealing information. Especially with Uber, a lot of your personal information is linked to your account, as well as credit card information. These hackers can make the site safer, which is also appealing to customers. Also, I was wondering too about the potential risks of this program and how they ensure that the hackers are doing their job correctly. And how many bugs do they actually find in the program? That would be an interesting insight.

    ReplyDelete
  7. I think this a really interesting and new way to discover your weaknesses within a program or application. Instead of pinning your company against you enemies, aka the hackers, finding a way to work with them is an innovative way to expose the flaws of your systems. My only worry with this venture is the scary possibility instead of revealing the bugs they found, the hackers taking critical information such as credit card numbers and stealing or reselling them. It is also concerning to possibly how many bugs these hackers are finding in this system that me and so many of my peers trust to use on a frequent basis. I would be interested in further learning of how many bugs were discovered and what Uber is doing to fix these problems.

    ReplyDelete
  8. This is a very interesting a relevant blog post. Almost everyone I know has and uses the uber app. From a security perspective, I think Uber is doing the right thing by paying hackers to find flaws in there system. Uber accounts are connected to credit or debit cards and if a hacker can get this information, they would potentially have access to hundreds of thousands of personal user information. This could result in monetary losses or identity theft. In class, we talked about the importance of IT to protect consumer information and how easy it is for hackers to collect this information. I think Uber's proactive approach to security is overall a good move for the company.

    ReplyDelete

Note: Only a member of this blog may post a comment.