Earn upto $10000 per Bug you find in Uber


Earn upto $10000 per issue you find in Uber
Uber Bug Bounty Program
Uber is committed to protect its users in all the possible ways. Uber is securing its technology on all fronts. Uber recently closes one bounty program which was open to limited number of security researchers in US.


Now Uber have opened its bug hunter program to all individuals. Uber is ready to pay $10,000 per genuine issue. They have certain criteria for deciding the bounty value but it all will be worth for it.

What type of vulnerabilities is Uber looking for?

Uber is looking for any vulnerability which could negatively affect the security of its users.
The main categories of vulnerabilities that uber look for are the following:


  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Server-side Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Open Redirect Vulnerabilities
  • Access Control Issues (Insecure Direct Object Reference issues, etc)
  • Exposed Administrative Panels that don't require login credentials
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Information Disclosure of Sensitive Information (such as system configurations, user data, etc)
  • Publicly accessible login panels

Please note that if a vulnerability (such as XSS) only affects a small population, e.g. a browser with a low usage percentage, the reward will be determined accordingly. Vulnerabilities that exist only in antiquated browsers such as Internet Explorer 8 for example, are not in scope.

Bounty Payout Range

Critical issues ($10,000) - Remote code execution on a production server. Exposure of information that identifies individuals (social security numbers, credit card numbers, bank account numbers, driver license images) Full account takeover of rider/partner account without interaction. Payment or partner invoice information exposure at scale. Potential access to source code. XSS in Toolshed (our internal account management system), or server-side request forgery (SSRF). Vulnerabilities leading to the compromise of an employee account (with a way to bypass two-factor).

Significant Issues ($5,000) - Stored Cross-site Scripting which can cause significant brand damage (e.g. in a homepage), missing authorization checks leading to the exposure of email addresses, date of birth, names, phone numbers, etc.

Medium Issues ($3,000) - Reflected Cross-site Scripting (XSS), most Cross-site Request Forgery (CSRF) issues, access control issues which do not exposed PII but affect other accounts, rate limiting issues, account validation bypasses (being able to change driver picture, etc). Any vulnerability which allows the bulk lookup of user UUIDs (e.g. turn an auto-incrementing ID into a UUID, turn an email into a UUID).

Read more about Bug bounty program

Most important links to check next ...
Still looking for ideas: 7 ways to save money while shopping online