We are excited to share that Uber is launching its public bug bounty program today on HackerOne. Additionally, Uber and HackerOne collaborated to create a new way of rewarding hackers called bonuses, which enables security teams to give additional monetary awards to hackers beyond initial bounties. The Uber loyalty program will utilize HackerOne bonuses for additional incentives in its public program.
The Uber loyalty program begins on May 1, and runs for a 90 day season. Uber's first-of-its-kind loyalty program offers hackers even more opportunities to earn rewards. Within the season, a hacker begins earning a bonus for the 5th resolved issue that earns a bounty. The bonus amount will be calculated by taking 10% of the average of the first four bounties awarded to the hacker. The hacker will continue earning bonuses for additional resolved and rewarded issues until the end of the season. With this loyalty program, Uber is rewarding hackers for continuing to focus on its program.
The bonuses feature is available for immediate use by any team hosting a bounty program on HackerOne. Bonuses can be used to recognize hackers for positive actions beyond finding valid vulnerabilities. The new feature creates more ways for hackers to earn rewards on HackerOne, and for security teams to offer more flexible incentives. In addition to Uber's loyalty program, below are some ways that companies can use HackerOne Bonuses.
High Quality Report Bonus
Did you receive a report from a hacker that was exceptionally useful? Reward a bonus in addition to the bounty, to show them that they went above and beyond the call of duty. Teams can also publicly disclose these reports to show other hackers the kind of report that can earn a bonus.
Specific Request Bonus
Did a hacker help you verify that an issue was resolved appropriately, or format the report according to your instructions? Awarding a bonus is a great way to positively reinforce the kind of behavior you find most helpful from hackers.
The bonus feature makes it easy for teams to run a promotion during a specific time frame, or add extra incentives for issues found within a desired product or feature. Use bonuses to offer additional incentives to focus hackers on the scope you care about most.
Getting Started with Bonuses
When you resolve a report in HackerOne, you will now see a new field next to the bounty reward field where you can assign a bonus. For public programs, awarded bonuses will display in the hacktivity stream. Teams can easily track bonus rewards and top contributors without impacting the market rates for vulnerabilities. Bonuses earned do not impact hacker reputation.
If you have other ideas for how to use bonuses or feedback about the feature, we'd love to hear from you. As always, please feel free to contact us at firstname.lastname@example.org. For specifics on Uber's program, like the treasure map, check out Uber's blog and the Uber security page.