
Uber Engineering Bug Bounty: The Treasure Map - myhrvold
https://eng.uber.com/bug-bounty/
======
IanCal
Having descriptions of all the various services is great.

Something I couldn't see here is that while you ask for bugs related to a
variety of accounts, are there ways of creating such accounts? I can fairly
easily ensure I don't poke at the normal user account of someone else, but
what about drivers/businesses/etc?

More generally for HNers, are there common ways of dealing with this? Do
people try and run parallel stacks that don't contain real info? Or do devs
setup fake accounts?

I'm not in this business so apologies if I'm missing something really obvious.

~~~
nabaraz
I sent an email to Uber about this. Other companies like facebook, xbox have a
way to create test accounts.

------
jwcrux
There are a ton of bug bounties nowadays, but it's a nice change of pace to
have a company give some data on backend stack, subdomains, and purpose of the
services up front.

Great move on Uber's part!

------
Shamiq
I would love a Marauder's Map for bug bounty programs: Show me who is working
on what, where they're finding bugs, and help me identify where I can most
efficiently spend my time. Lots of 'feel bads' if I report a bug that's
already been reported, and thus don't get a payout.

~~~
brebla
I am currently working on bug discovery for every big company. You should
probably stay away to avoid feel bads.

~~~
Shamiq
oh, i know -- i got spoiled working at matasano where we'd usually get the
first crack.

------
greggman
How about UX bugs

Like:

1\. Messages to drivers are apparently not through uber?

It seems like sending a message to a driver happens through SMS rather than
through uber itself. This seems to result in driver not seeing message. Had
that happen twice yesterday. Told driver exactly where I was. Driver gets lost
and calls me and from conversion it's clear he never read the message.

2\. Can't change your pick up point.

Ran into this yesterday. Was waiting near corner of franklin and market on
market on the outbound side wanting to go to sunset area. Guy doesn't read
message which specifically said turn right on market (he was on Page that lets
you turn right onto market). Instead he crossed market which at that point I
had to cancel the ride because it would have been another 10 minutes for him
to drive the 10+ blocks to correct his mistake

That led to getting driver #2. He was coming down Gough so in the interest of
making it easier for both of us I walked up to Gough. I wasn't able to change
my pickup location. I messaged him that I had moved to gough and market. He
called when he got to franklin and market making it clear he didn't get my
message.

~~~
HiroshiSan
As an uber driver, I've never had any problems messaging passengers or
receiving messages. I prefer that they go through my SMS.

The pick up point issue I have had on multiple occasions. Mostly it's that the
customer enters a bad pick up point or the pick up point they enter for some
reason on my end is a house or two down. When it's an apartment building the
pick up point directs me towards the back of the building. But a lot of common
sense and knowing my city well goes a long way.

~~~
umeshunni
This is particularly annoying when you travel abroad and the driver may not be
capable of sending messages to a US phone number.

~~~
superuser2
Have you ever actually experienced that?

~~~
umeshunni
Yes - I was visiting India last year and used Uber (ubiquitous and cheap in
major cities there) and noticed that the drivers had trouble finding me. One
or two of them told me that they tried to call my number (a US number on T-Mo)
and their plan didn't allow it.

------
meritt
The going rate for critical bounties is way too small. It's upsetting to see a
company worth $10+ billion offering $5k - $15k when it comes to the protection
of their user's information. Just earlier this month Facebook rewarded a
paltry $15k for a bug that could unlock any user's account. That sort of
information in the wrong hands or resulting in a massive PII leak will cause a
few orders of magnitude higher in damage to their market cap and goodwill.

And I say this from personal experience. Two years ago I submitted a bug to a
$10B+ public company which revealed the personal information (email, name,
home address, phone) of ~145M users and they offered $10k. Another recent
example to a $50B+ public company via HackerOne that exposed the same sort of
data for ~77M users. They paid out $1k. I assumed they had left off a 0, but
nope, they actually told me $1k was higher than their normal bounty due to the
severity. Submitted a bug to a publicly traded food delivery company in the
UK, which revealed detail order history (customer name, address, email, phone,
partial CC #) for their entire platform. They offered me £500 in food delivery
credit. All of my submissions have been purely in good faith and nothing at
all resembling extortion, but I assure you there are thousands of bad actors
out there far more skilled than I.

And there's plenty of legal outlets for this information (depending on how it
is accessed of course). Local governments and Lyft would love to know
ridership usage details about Uber.

~~~
bracewel
> paltry $15k

The tech/security community is crazy.

~~~
malka
No. YOu have to compare that number to how much you could get for that exploit
on the black market. 15K seems cheap for a critical bug on a major platform.

~~~
aianus
For many qualified technical people, $15k + recognition is worth more than
$500k + guilt + possible prison / looking over your shoulder for years.

~~~
nostrebored
Well the parent seemed to miss the point -- the real calculus is cost to the
company if the exploit were to be used effectively, monetary benefit to the
person who finds the bug, and the recognition you'd get in the blackhat
community.

~~~
Dwolb
Yes the payout calc by company is cost to the company of an exploit, but with
a repeated game scenario.

i.e. you can't look at the bug and payment in a vacuum, you have to factor in
future bugs.

So the cost is the value to the company for the exploited bug if used properly
plus the expected value of future bugs.

Which is weird, right? This shows companies can be internally incentivized to
reduce bug bounty payments to show 'they are improving' when in fact,
developers are leaving their bug bounty program.

------
pogilvie
So the first 'season' of the bug bounty is 90 days long, and to qualify for
payment you need to find 4 bugs before you can be eligible for payment? That
seems initially quite off putting.

~~~
christoph
I had to read that part twice as well. It seems that it's in addition to
whatever they are offering 'per bug' \- you basically get a 10% bonus on the
average of everyone else's payouts.

So for example:

Bug 1 - $2k

Bug 2 - $3k

Bug 3 - $6k

Bug 4 - $1.5k

Bug 5 - $2k + 10% of total commuity average payout as bonus

~~~
pogilvie
Yeah I've looked around and can't quite follow it.. The rest of what they have
set out is really interesting though.

------
whitehat2k9
Laying out all their services and telling you what each runs on...ballsy. It's
the electronic equivalent of telling strangers where you live and who built
the house.

~~~
tyrust
Security through obscurity will not get you very far. This map just removes
that false protection and potentially gets more bug hunters' eyes on their
services.

------
mcintyre1994
As someone whose not really familiar with Uber except at a high level overview
kind of way, does anyone know their reasoning behind not wanting a path from
email to uuid as a unique concern to them?

~~~
jon-wood
My guess is that they're trying to avoid people who've acquired a list of
email addresses being able to trivially work out which of those addresses have
Uber accounts. With that information one could target only those accounts with
phishing attacks and the like with potentially fewer people flagging those
emails as suspicious.

------
alpb
"What to look for" part sort of did not make any sense. If the security
engineers at Uber has a sense of where the vulnerabilities might come from,
they might as well seek those themselves.

I don't think anybody would say "oh yeah we were expecting some security bug
to arise from this code". I thought the point of security issues is, they show
up from places where you wouldn't even expect. I might be wrong.

~~~
ascorbic
I took more as them saying "these are the things we really don't want to have
bugs, so if you find them we'll pay well"

------
jon-wood
As an almost complete beginner how would I get to the point of being able to
consistently find security issues where they exist? I've got enough experience
as a developer to avoid the most common vulnerabilities, but I don't really
know how I'd go about approaching things from the other direction to surface
potentially undiscovered issues.

------
jasonjei
It shows quite a bit of wisdom that they've acknowledged the internal
undocumented mobile API to be the greatest surface area for attacks.

Even if they are certificate pinning, aren't there jailbreak ways to disable
that?

------
iamleppert
Only $10k for a remote code execution bug?

