Uber recently announced that it has launched a bug bounty program that will pay white-hat hackers up to $10,000 for exposure of information that identifies “critical issues,” such as Social Security numbers, credit card numbers, bank account numbers, and driver’s license images. If the white-hat can take over the full account of the rider/partner account without interaction, Uber will pay the hacker for the information on how they did it on a sliding scale.
Uber will pay up to $5,000 for the exposure of “significant issues,” including, “Stored Cross-site Scripting which can cause significant brand damage (e.g., in a homepage), missing authorization checks leading to the exposure of email addresses, date of birth, names, phone numbers, etc.”
“Medium issues” will be rewarded with a pay-out of $3,000 which include “access control issues which do not expose PII but affect other accounts…”
As of March 28, Uber had rewarded multiple white-hats with payments and has “resolved” many reports. Uber “thanked” 66 hackers and has closed 99 reports as of this writing.