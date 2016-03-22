| SAN FRANCISCO, March 22
SAN FRANCISCO, March 22 Uber, the high-flying
transportation firm, is releasing a technical map of its
computer and communications systems and inviting hackers to find
weaknesses in exchange for cash bounties.
While so-called "bug bounties" are not new, Uber's move
shows how mainstream companies are increasingly relying on
independent computer researchers to help them bolster their
systems. It also indicates growing acceptance of the idea that
making computer code public can make systems more secure, a
philosophy that has long been advocated by the open-source
software movement.
Uber's "Treasure Map" details the ride-hailing company's
software infrastructure, identifies what sorts of data might be
exposed inadvertently and suggests what types of flaws are the
most likely to be found.
"We're wrapping up a lot of information and posting that to
level the playing field so that it could be as easy for outside
researchers to find flaws as us," said Collin Greene, manager of
security engineering at Uber.
Companies rarely say much about their proprietary
programming, except to enable third parties to make compatible
software.
"That's a level of confidence that you have not seen too
many closed-source software companies take in the past, and I'm
really hopeful that others will follow suit," said Alex Rice,
chief technology officer at HackerOne, which is managing Uber's
bounty program.
HackerOne, a San Francisco rival called Bugcrowd and other
startups have helped accelerate efforts to tap the independent
security community to identify serious programming mistakes
before criminals or spies do. They can serve as intermediaries
between researchers and companies, and sometimes vet their
findings.
A decade ago, hackers pointing out problems feared arrest
but they can now earn modest sums from platforms like HackerOne.
Firms such as Uber, looking to bolster their defenses, don't pay
as much as criminals and military contractors who are looking
for tools to carry out offensive attacks, but they offer options
to those who would prefer to act as "white hats."
Bugcrowd Chief Executive Officer Casey Ellis said he has
seen a surge in corporate clients asking for private bounty
programs that are open to selected researchers.
"That increases the amount of trust you are giving to the
researchers," Ellis said. "We run trusted programs where people
get prerelease versions of Internet of Things devices or access
to source code."
(Reporting by Joseph Menn; Editing by Jonathan Weber and
Jeffrey Benkoe)