Heads up, security researchers: Uber needs help, and it's prepared to pay for your assistance.
The app-based car service on Tuesday launched an official bug bounty program offering rewards of up to $10,000 in exchange for information about "critical" security issues in its code. The move comes after Uber last year launched a private, beta bug bounty program limited to 200 security researchers, who found nearly 100 vulnerabilities, all of which have since been fixed.
As an added incentive, Uber has created what it calls a "first of its kind loyalty reward program" offering extra cash to the most prolific bug finders. Here's how it works: bounty hunters will have 90 days to find as may bugs in Uber's code as possible—even "subtle" ones.
If you manage to find a handful of genuine bugs within that 90 day period (ideally, at least five), you'll get a bonus equivalent to 10 percent of the average payouts for the first four issues you identified in that session. The first "reward program season" will kick off May 1, so you might as well get started now.
"Even with a team of highly qualified and well trained security experts, you need to be constantly on the look-out for ways to improve," Uber's Chief Security Officer Joe Sullivan said in a statement. "This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber."
To aid researchers in their search for bugs, Uber created what it calls a "treasure map guide" showing how to find different classes of vulnerabilities across the company's codebase. The company also promised to publicly disclose and highlight the highest-quality submissions, with the researcher's permission, so everyone can see what kinds of issues get rewarded. Finally, Uber will provide researchers with access to new features at the same time it rolls them out to employees, whenever possible.