Recently the popular driving service Uber announced a bug bounty program that would award hackers to find exploits within the companies services. Hackers are paid by the amount of exploits they are able to find rather than by an normal pay basis. The amount that they receive varies based on how threatening the exploit is to the company. If the exploit reveals a users private information it will likely result in half the amount that would be awarded to one that could run malicious server code. The starting this program Uber is making the site more safe as its likely most bugs will be fixed before it gets in the hands of malicious hackers not interest in the monetary value.
I found this article to be very interesting with some points worth mentioning. The first detail that was surprising was the fact that a lot of companies offer the same bounty programs. Companies like Google, Facebook, and Microsoft offer very similar programs that award cash to hackers that can find bugs within their products. I feel that this is a great move for these tech giants as its a deterrent for hackers to sell exploits to each other. Most hackers sell exploits to those who might seek to gain monetary gain from using them. For example, most groups would pay money for an exploit that revealed users credit card numbers.
The article also revealed that its not the first time the company has implemented a bug bounty program. In the early days of the Uber app this tactic was used to improve the security of the application before launch. More interestingly the degree to how harmful these exploits are is quite worrisome. When you unleash a ridiculous amount of hackers against your company they're sure to find some harmful bugs. Researches at the University of California found a way to control the breaks of cars and other functions of the vehicle like the windshield wipers with a dongle provided by the Uber company. Again, this is an extreme case but it certainly proves that having this program is also potentially a bad thing in some sense.
Some organizations like the Energy and Commerce Committee are a potential setback to these bounty programs as they feel that it should be illegal for this kind of research to be going on. This comes after a security threat that affected 1.4 million vehicles allowing unauthorized remote control access to critical functionality. This includes breaking, steering and the transmission. Uber proves that if well organized and maintained the bounty programs are very beneficial to the company and its users.
I feel that this article could do better in explaining the potential risks of having this program in place as it talks extensively about the benefits. Im also curious on the actual statistics of this program and how many exploits are found in a year. I wonder what happens when two users report the same exploit and who receives the reward?