
Uber Bug Bounty Program – It's a Sham - n-exploit
https://www.reddit.com/r/technology/comments/4bq67q/ubers_bug_bounty_program_is_a_complete_sham/
======
phwd
Before this reaches a level rehashing the old "sell it on the blackmarket", I
would like to clarify an issue here.

The policy change that occurred for Sean (the person the OP is using for his
argument) was that Uber had clarified a change, without any clear
notification. I blame the HackerOne Platform here, there is no way to send a
notice of scope unless the program owner manually appends it at the top (in
the case of yahoo [https://hackerone.com/yahoo](https://hackerone.com/yahoo))

So its scope ([https://hackerone.com/uber](https://hackerone.com/uber))
changed from in scope

"Exposed Administrative Panels and Ports (Excluding OneLogin)"

to

"Exposed Administrative Panels that don't require login credentials"

With ports moved to out of scope unless,

"Open ports without an accompanying proof-of-concept demonstrating
vulnerability"

I cannot speak for the OP and the validity of his XSS bug however.

------
jmiserez
Not the full story, and not a sham in this case. The bug report was in fact
invalid, the OP was mistaken and later admitted so himself in the original
thread on HackerOne:

[https://hackerone.com/reports/124975](https://hackerone.com/reports/124975)

Source:
[https://twitter.com/jstnkndy/status/713077746507911168](https://twitter.com/jstnkndy/status/713077746507911168)

Unfortunately he did not think to update his initial Reddit post afterwards.

EDIT: ...and now the post is gone.

------
emerongi
Seems like he just reported URLs of publicly available admin pages.

If that was in the scope and considered as a bug by Uber, he should be paid.
But the scope change in general doesn't seem that shady, since they probably
wanted to get it out of the scope as soon as possible if it's not really a
bug.

------
jclulow
If it's true, it seems that they treat the security community about as well as
they treat their drivers. Or the law in many places.

~~~
msoad
They don't treat their software engineering department well either

~~~
bichiliad
Is that first hand?

~~~
msoad
Ask people who work at Uber about "surge seating" or what time dinner is
served!

------
libber
(Wrote about this on reddit but I think it is pending approval, reposting
here)

Hi - I work on the security team at Uber. I am this guy:
techcrunch.com/2016/03/22/uber-launches-bug-bounty-program-that-pays-hackers-
to-find-security-issues/

Yesterday we changed the language on our bug bounty page and I wanted to
apologize for the confusion this caused. Since we launched our public bug
bounty program on Tuesday, we have been reacting to the types of issues sent
in and learning how to better define what we are looking for. This change was
part of that, and not an effort to prevent anyone from earning bounties. The
reason we clarified is so security researchers, whose time is valuable,
wouldn't spend time on lower-risk issues like microsites that are unlikely to
get a reward.

To Sean’s points about microsites, a microsite is usually a blog type site
that rarely contains Uber user data and lives outside the Uber network. As
such, even in cases where microsites are vulnerable, they pose a mild security
risk to Uber which is why we clarified in our policy page to say that we do
not reward them “except in extraordinary circumstances”. Sean also mentions
that they are lower in severity:
[https://twitter.com/seanmeals/status/712975867236974592](https://twitter.com/seanmeals/status/712975867236974592).
Although the intent around microsites didn’t change, the language did. I
apologize for this and we could have done better.

To the specific issue raised in your post, we have made it public:
[https://hackerone.com/reports/124975](https://hackerone.com/reports/124975).
As you mention, the payload does not fire so this is not a security concern.

A successful bug bounty rests on researchers trusting us to run it well, which
we take very seriously. All the members of team running this program are part
of the security community and many of us (mjb(1), jordan(2), rob(3)) actively
submit to other bug bounty programs or perform security research as a hobby.
We have awarded nearly a hundred issues via our pilot bug bounty program so
far and we are excited to payout more in the future.

Our aim is to build a program by researchers, for researchers. I want to
personally thank you for taking the time to submit your issue -- and any
future issues. You can always see the scope and rules of our bug bounty
program at [https://hackerone.com/uber](https://hackerone.com/uber) and you
can feel free to mention my name in any reports to HackerOne to get my
attention about an issue.

1\. [https://www.blackhat.com/us-15/briefings.html#bypass-
surgery...](https://www.blackhat.com/us-15/briefings.html#bypass-surgery-
abusing-content-delivery-networks-with-server-side-request-forgery-ssrf-flash-
and-dns) 2\. [http://blog.saynotolinux.com/](http://blog.saynotolinux.com/)
3.[https://www.google.com/about/appsecurity/hall-of-
fame/archiv...](https://www.google.com/about/appsecurity/hall-of-
fame/archive/)

------
jupenur
Didn't Uber just hire Chris Valasek and Charlie Miller (famous for the Jeep
hack) a few months ago? Based on that I would have expected them to be at
least half-serious about security. Or was that just for PR?

------
Kiro
> They ultimately closed my bug and reopened it STATING it was a new valid
> bug, then closed it again.

So what was the reason they closed it again? Seems like that's the most
important part here and it's left out.

~~~
viscanti
The fact that the most important part (reason for closing it) is left out
makes it seem like it's just a bad bug report. The final linked comment seems
to be Uber asking for steps to reproduce and then there's no follow up. If the
bounty program is really a sham and they're closing out valid bugs, it seems
like it should be simple to show a smoking gun here.

