The practice of finding vulnerabilities and exploits in the high-dollar, highly engineered software used by big companies has long been an act that you performed only if you were sure you could stay anonymous while reporting, or you planned to use your findings for less than savory pursuits. Lately, however, a movement toward the acceptance of hacking into systems and reporting your findings, or “white hat hacking“, has been picking up steam in the corporate world. Some of the bigger names out there, even Google themselves, are rewarding independent security researchers for finding holes in their own software and reporting the exploits to them to be patched. Uber is the latest company to jump on the bandwagon, however they’ve upped the ante by providing would-be white hats not only the promise of a reward, but a detailed road map for reference on their exploit-hunting journeys.
Uber is offering researchers a “treasure map” that shows the intricate details of how their backend data system works, as well as a sort of field guide that details the kind of information to look out for and the kind of flaws that have a decent chance of being found. The inner workings of a company’s proprietary software being laid bare in such a manner is something not often seen in the tech space, at least outside of the open-source world. Uber’s assistance to aspiring hackers shows a fair bit of confidence in the security of their systems, as well a a willingness to work closely with any exploit finders.
This move may well set a precedent for other companies to follow, mirroring the open-source mentality of letting the very crowd capable of compromising a product help to secure the product. The move toward this mentality, if it happens, will likely be very slow and gradual, especially with the current nationwide emphasis on security in the United States and the debates that it’s spawned. Various startups, such as HackerOne and BugCrowd, tend to act as a go-between for researchers and companies. They also normally score contracts that give them access to pre-release software. Slowly but surely, outfits like this are helping to usher in the age of crowdsourced security research.