Ridesharing service Uber has announced some changes to its bug bounty program, including a new set of terms and conditions, as well as new monetization opportunities for white hatters.
First off, some stats. Since August 2017, Uber has rewarded ethical hackers a over $290,000 in bug bounties and resolved nearly 200 issues. The all-time total payout now stands at $1.4 million.
The number of bug reports is trending down, while the percentage of paid reports is rising, meaning the signal-to-noise ratio is healthy – meaning Uber’s security team is spending more time triaging valid reports than invalid ones.
Security researchers looking to participate in the program will have to agree to the updated terms which Uber claims “provide more specific guidance on what good faith vulnerability research looks like and what type of conduct falls outside that.” The terms also include instructions on what to do if researchers come across personal / user data while looking for bugs. And if researchers somehow get in trouble while acting in good faith, Uber says it has their backs.
“If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program,” reads the updated documentation.
To top the final bounty for a resolved report, researchers who can produce a proof-of-concept (demonstrate how a vulnerability can be exploited) will be offered a bonus.
“We are also offering researchers an additional $500 on top of the final bounty for their resolved report if they include a fully scripted POC in their original report. This will allow us to quickly and thoroughly test issues once they are resolved, and run the POC again down the line to ensure there have not been regressions,” Uber says.
Lastly, moving forward, when researchers choose to donate their bounty to a charity, Uber will match those donations up to $100,000.