Posted by Robert Vamosi on March 22, 2016
The ride-sharing company Uber today released a technical map of its computer and communications system along with an invitation to security researchers help secure their software. According to the Reuters News Service, Uber has released a “treasure map” of its software infrastructure, identifying what sorts of data might be exposed inadvertently and suggesting what types of flaws are the most likely to be found. A list on HackerOne enumerates what is and what is not a valid vulnerability.
“We’re wrapping up a lot of information and posting that to level the playing field so that it could be as easy for outside researchers to find flaws as us,” said Collin Greene, manager of security engineering at Uber, told the news service.
While companies such as Uber might not pay as much as criminals, they do offer “white hat” researchers more ethical options. For example, Google has had a bug bounty program in place for years, offering security researchers money in exchange for not going public with serious flaws. This gives the company time to fix the flaws without tipping off criminals.
United Airlines offers up to $1 million for remote code execution vulnerabilities.
Some companies, such as GM, don’t offer the research any money, only recognition after the flaw is patched.