Want to earn $10,000? Just hack website and Application of “UBER”!

On this Tuesday, ride-sharing company UBER has launched a Bug Bounty Program. UBER has launched this Bounty Program for company’s website and for application as well. The main goal behind this program is to encourage security researchers to find vulnerability and security issues in company’s website and application. It will be a mutual benefit for both UBER and the security researchers.

Chris Valasek and Charlie Miller are two car hacking experts. Both of them have been hired by UBER last year. Now UBER is in the list of those companies, which are running Bug Bounty Programs and offering large amount as prize to the security researchers. Before this latest bug bounty program, UBER was running a beta bug bounty program. More than 100 vulnerabilities were reported by security researchers in that particular testing period.

This Bug Bounty Program is applicable on domains, such as “uber.com”, “.dev.uber.com”, “ubermovement.com” and “petition.uber.org”. Security researchers are invited to analyse official Android and iOS apps of UBER also. All the blogs, websites and partner incentive sites owned by UBER are part of this Bug Bounty Program.



Security researchers are allowed to find following vulnerabilities under this Bug Bounty Program:

1.Cross-Site Scripting (XSS)

2.Server-side request forgery (SSRF)

3.SQL Injection

4.Cross-Site request forgery (CSRF)

5.XML external entity (XXE)

6.Server Side remote execution

7.Open redirect path disclosure

8.Local File Disclosure

9.Information Disclosure

10.Access Control

11.Directory Traversal

UBER is offering 10,000 US Dollars for each critical vulnerability, such as remote code execution vulnerability. Hackers could exploit these critical vulnerabilities to gain the access of internal network and production server. Therefore UBER is offering large amount to security researchers to find out these types of security flaws, as they want to make secure their financial and personal sensitive information. For stored XSS flaws and other information disclosure vulnerabilities, UBER is offering 5000 Dollars.

For vulnerabilities such as CSRF, Access control bugs, reflected XSS and information disclosure, UBER is offering $3,000. Researchers are also allowed to report about fraud activities, but no prize is available for these reports at the time. Security researchers are allowed to publicly publish their findings, after the vulnerability they found is resolved.

This bug bounty program of UBER, has been hosted on the HackerOne platform. Those security researchers are applicable for a bonus, who will find more than 4 security issues till 1st of May. It is the first loyalty reward program of UBER.

UBER have faced two major security incidents last year. First one was related unauthorized access gained and license numbers of 50,000 UBER drivers were at risk. In second incident, personal details of US UBER drivers were in the hand of hackers. This bug bounty program is a proof of the fact that UBER is worried about the security of his customers and Employees.