They treat corporate employees (not drivers) fairly well, according to friends who work there. I'd be interested in hearing if you have experience to the contrary.
The fact that the most important part (reason for closing it) is left out makes it seem like it's just a bad bug report. The final linked comment seems to be Uber asking for steps to reproduce and then there's no follow up. If the bounty program is really a sham and they're closing out valid bugs, it seems like it should be simple to show a smoking gun here.
Seems like he just reported URLs of publicly available admin pages.
If that was in the scope and considered as a bug by Uber, he should be paid. But the scope change in general doesn't seem that shady, since they probably wanted to get it out of the scope as soon as possible if it's not really a bug.
Before this reaches a level rehashing the old "sell it on the blackmarket", I would like to clarify an issue here.
The policy change that occurred for Sean (the person the OP is using for his argument) was that Uber had clarified a change, without any clear notification. I blame the HackerOne Platform here, there is no way to send a notice of scope unless the program owner manually appends it at the top (in the case of yahoo https://hackerone.com/yahoo)
Didn't Uber just hire Chris Valasek and Charlie Miller (famous for the Jeep hack) a few months ago? Based on that I would have expected them to be at least half-serious about security. Or was that just for PR?
(Wrote about this on reddit but I think it is pending approval, reposting here)
Hi - I work on the security team at Uber. I am this guy: techcrunch.com/2016/03/22/uber-launches-bug-bounty-program-that-pays-hackers-to-find-security-issues/
Yesterday we changed the language on our bug bounty page and I wanted to apologize for the confusion this caused. Since we launched our public bug bounty program on Tuesday, we have been reacting to the types of issues sent in and learning how to better define what we are looking for. This change was part of that, and not an effort to prevent anyone from earning bounties. The reason we clarified is so security researchers, whose time is valuable, wouldn't spend time on lower-risk issues like microsites that are unlikely to get a reward.
To Sean’s points about microsites, a microsite is usually a blog type site that rarely contains Uber user data and lives outside the Uber network. As such, even in cases where microsites are vulnerable, they pose a mild security risk to Uber which is why we clarified in our policy page to say that we do not reward them “except in extraordinary circumstances”. Sean also mentions that they are lower in severity: https://twitter.com/seanmeals/status/712975867236974592. Although the intent around microsites didn’t change, the language did. I apologize for this and we could have done better.
To the specific issue raised in your post, we have made it public: https://hackerone.com/reports/124975. As you mention, the payload does not fire so this is not a security concern.
A successful bug bounty rests on researchers trusting us to run it well, which we take very seriously. All the members of team running this program are part of the security community and many of us (mjb(1), jordan(2), rob(3)) actively submit to other bug bounty programs or perform security research as a hobby. We have awarded nearly a hundred issues via our pilot bug bounty program so far and we are excited to payout more in the future.
Our aim is to build a program by researchers, for researchers. I want to personally thank you for taking the time to submit your issue -- and any future issues. You can always see the scope and rules of our bug bounty program at https://hackerone.com/uber and you can feel free to mention my name in any reports to HackerOne to get my attention about an issue.
Not the full story, and not a sham in this case. The bug report was in fact invalid, the OP was mistaken and later admitted so himself in the original thread on HackerOne:
15 comments
[ 3.1 ms ] story [ 49.7 ms ] threadSo what was the reason they closed it again? Seems like that's the most important part here and it's left out.
If that was in the scope and considered as a bug by Uber, he should be paid. But the scope change in general doesn't seem that shady, since they probably wanted to get it out of the scope as soon as possible if it's not really a bug.
The policy change that occurred for Sean (the person the OP is using for his argument) was that Uber had clarified a change, without any clear notification. I blame the HackerOne Platform here, there is no way to send a notice of scope unless the program owner manually appends it at the top (in the case of yahoo https://hackerone.com/yahoo)
So its scope (https://hackerone.com/uber) changed from in scope
"Exposed Administrative Panels and Ports (Excluding OneLogin)"
to
"Exposed Administrative Panels that don't require login credentials"
With ports moved to out of scope unless,
"Open ports without an accompanying proof-of-concept demonstrating vulnerability"
I cannot speak for the OP and the validity of his XSS bug however.
Hi - I work on the security team at Uber. I am this guy: techcrunch.com/2016/03/22/uber-launches-bug-bounty-program-that-pays-hackers-to-find-security-issues/
Yesterday we changed the language on our bug bounty page and I wanted to apologize for the confusion this caused. Since we launched our public bug bounty program on Tuesday, we have been reacting to the types of issues sent in and learning how to better define what we are looking for. This change was part of that, and not an effort to prevent anyone from earning bounties. The reason we clarified is so security researchers, whose time is valuable, wouldn't spend time on lower-risk issues like microsites that are unlikely to get a reward.
To Sean’s points about microsites, a microsite is usually a blog type site that rarely contains Uber user data and lives outside the Uber network. As such, even in cases where microsites are vulnerable, they pose a mild security risk to Uber which is why we clarified in our policy page to say that we do not reward them “except in extraordinary circumstances”. Sean also mentions that they are lower in severity: https://twitter.com/seanmeals/status/712975867236974592. Although the intent around microsites didn’t change, the language did. I apologize for this and we could have done better.
To the specific issue raised in your post, we have made it public: https://hackerone.com/reports/124975. As you mention, the payload does not fire so this is not a security concern.
A successful bug bounty rests on researchers trusting us to run it well, which we take very seriously. All the members of team running this program are part of the security community and many of us (mjb(1), jordan(2), rob(3)) actively submit to other bug bounty programs or perform security research as a hobby. We have awarded nearly a hundred issues via our pilot bug bounty program so far and we are excited to payout more in the future.
Our aim is to build a program by researchers, for researchers. I want to personally thank you for taking the time to submit your issue -- and any future issues. You can always see the scope and rules of our bug bounty program at https://hackerone.com/uber and you can feel free to mention my name in any reports to HackerOne to get my attention about an issue.
1. https://www.blackhat.com/us-15/briefings.html#bypass-surgery... 2. http://blog.saynotolinux.com/ 3.https://www.google.com/about/appsecurity/hall-of-fame/archiv...
https://hackerone.com/reports/124975
Source: https://twitter.com/jstnkndy/status/713077746507911168
Unfortunately he did not think to update his initial Reddit post afterwards.
EDIT: ...and now the post is gone.