Uber has followed the footsteps of some big tech organizations who are using the bug bounty programs to fix critical bugs in their products. The aim of Uber behind launching the bug bounty program is to secure the personal information of their riders and drivers.
The programs kick off from 1st May and security researchers have 90 days to report the bugs in Uber’s systems. The Uber’s bounty program is not totally identical to bounty program of other silicon valley firms like Facebook, Microsoft, Google, Twitter, Yahoo. Company has taken some unorthodox steps by announcing that it will even provide a “treasure map” for bug hunters designed to steer them toward potentially vulnerable areas of the company’s site.
Collin Greene Head of Uber’s Product Security said; “By giving them a treasure map of the structure of our system, they can spend their time looking for really subtle bugs,”.
Uber has published a list of vulnerabilities in which the company is interested. Some notable vulnerabilities are:
- Cross-site Scripting (XSS)
- Cross-site Request Forgery
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Server-side Remote Code Execution (RCE)