Uber Launches New Promotions for ‘Hack the World’ Bug Bounty Competition

Uber Privacy & Security
Uber Privacy & Security
4 min readOct 17, 2017

--

Lindsey Glovin, Program Manager, Product Security

Uber is teaming up with HackerOne to create the largest promotions in our program’s history with up to $50,000 in bounties!

We are grateful to the amazing team of talented and loyal hackers already finding and reporting meaningful bugs to our security team. To say thanks to those who’ve been with us from the beginning and to welcome new researchers to the program, we’re launching several new promotions during HackerOne’s Hack the World competition.

$20K for the Top Uber Report

Uber’s bug bounty program is focused on identifying bugs with high security impact and we want to celebrate and recognize the researchers who help us find these important bugs. Therefore, the report with the highest security impact submitted to our program during HackerOne’s Hack the World competition will be awarded $20,000. This will be our largest single payout to date!

Double Minimum Bounty for First-Time Researchers

If you’ve never submitted to Uber’s bug bounty program before, your first valid and triaged report is eligible for a $1000 minimum bounty if you submit it during the Hack the World competition. This is twice our normal minimum bounty of $500.

Extra Bounty for Hack the World Winners

We’re also awarding $5,000 to the first and second place winners of the Hack the World competition, regardless of whether or not you submit a report to Uber during that time.

An Inside Look: What Happens to Bug Reports at Uber?

One of the things researchers consistently request is more insight into our internal processes and how security works inside Uber. Subsequent resources, such as our recently updated Treasure Map, give researchers a view into how we think about security and ultimately, how to find the bugs we value most. We also want to help researchers better understand what happens to bug bounty reports between the time they’re validated by our security team and how they help enhance the overall security programs at Uber.

Uber systems consist of thousands of microservices, facilitating everything from fraud detection to maps processing. We use familiar enterprise security tools and programs, such as code audits and developer frameworks to catch as many bugs as we can before shipping code into product. However, your bug bounty reports are part of a critical feedback loop that helps make our our internal tools and teams even stronger.

For example, once we validate a bug bounty report, we create a Phabricator task for the appropriate internal team or system owner with the details of the issue, reproduction steps, and recommendations on how to fix the bug. We even created custom tools to help other engineering teams quickly visualize and mitigate serious bugs in their systems.

One of these tools is an interactive dashboard that tracks each team’s contributions to our overall security debt. It gives every engineer visibility into which bugs they’re responsible for fixing as well as how their team compares to others in keeping our security debt low. This dashboard combines bugs found through internal tools and audits with those reported by bug bounty researchers, giving our technical teams a holistic view of issues found during development and in the wild. It also helps individual engineers stay on top of their open security tasks and understand where vulnerabilities were written so they can prevent them in the future.

Uber’s security team built an interactive dashboard to help other engineers understand how much they contribute to the company’s overall security posture. Percentages reflect the number of security tasks assigned to individual engineering teams and clicking on each box provides details on open issues.

Uber’s security team works cross-functionally with every other engineering team across the company. Communication and relationship building are key to fostering a healthy technology organization and getting security bugs fixed quickly and thoroughly. We strive to be a “solve for yes” security team, enabling other teams to safely build new products and deliver new technologies at the speed of our business.

Since introducing this tool, we’ve been able to multiply our efforts on getting bugs fixed quickly and eradicating them from our codebase. This leads to an increased number of closed bug bounty reports and a better understanding of Uber’s security landscape among our technical teams. As our bug bounty program continues to grow and mature, we are thankful for all the researchers who contribute to security at Uber to help keep our riders and drivers safe. Your reports make a difference.

--

--