A year after debuting a private computer bug bounty program, Uber said it is doubling down on its cybersecurity effort by expanding and opening the program to the public.
The white-hot, ride-hailing firm—last valued at more than $60 billion—says it is also introducing an unusual loyalty rewards program for participants. Hackers who uncover a string of bugs will receive bonus payouts, the sums of which are determined as a portion—10%—of the average of the previous rewards.
Hackers who report critical vulnerabilities can earn as much as $10,000 for their work, the company said.
Get Data Sheet, Coins2Day’s technology newsletter.
“The way we thought about the bonus program was like bowling a couple of strikes in row—you add more on top of the previous amount,” explains Collin Greene, a security engineer at Uber who manages the project and who previously oversaw Facebook’s (FB) bug bounty program. “We think its an exciting way to get people locked in,” he adds, mentioning he hopes it will encourage researchers to take the time to get up to speed on the unfamiliar system.
Greene tells Coins2Day that he is most excited about the company’s creation of a “treasure map,” a document containing details about the architecture and layouts of Uber’s websites and apps. He says the map will make it easier for outsiders to find security vulnerabilities.
For more on hacking, watch:
During the 9-month initial limited trial period, Greene cites the most common bugs found were “missing authorization” bugs, which pay $5,000 a piece and do not endanger customer information. The first run had 200 invited participants, who filed a total of about 100 reported issues.
Uber has chosen to run the program through HackerOne, a bug bounty startup that originally spun out of Facebook. The startup has about 500 programs up and running at companies such as Twitter (TWTR), Yahoo (YHOO), Square (SQ), and Snapchat, three-quarters of which are private.
Alex Rice, co-founder and chief technology officer of HackerOne and one of the original designers of the program at Facebook, tells Coins2Day that Uber’s approach is more open than many other organizations. “They’re doing a pretty unprecedented level of transparency,” he posits, mentioning the plans for a so-called treasure map.
Read more: “Google Just Doubled the Reward for Cracking into Chromebooks“
Uber recently poached a number of top security personnel from the social network, including Uber’s security chief Joe Sullivan. “Even with a team of highly-qualified and well trained security experts, you need to be constantly on the look-out for ways to improve,” Sullivan said in a statement about the initiative. “This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber.”
The bug bounty program complements a number of other key cybersecurity hires that Uber has made in the past year. In addition to on-boarding 40 Carnegie Mellon roboticists, the company poached Charlie Miller and Chris Valasek, last year’s infamous Jeep Grand Cherokee hackers, from their respective roles at Twitter and cybersecurity firm IOActive.
The U.S. Department of Defense also made waves at last month’s RSA cybersecurity conference in San Francisco when Secretary of Defense Ashton Carter said the Pentagon planned to introduce a bug bounty program of its own. Other companies that have implemented such programs include General Motors (GM), Tesla (TSLA), and United Airlines (UAL), which offers frequent flier miles as rewards.
