|Uber Bug Bounty Program|
Now Uber have opened its bug hunter program to all individuals. Uber is ready to pay $10,000 per genuine issue. They have certain criteria for deciding the bounty value but it all will be worth for it.
What type of vulnerabilities is Uber looking for?
Uber is looking for any vulnerability which could negatively affect the security of its users.
The main categories of vulnerabilities that uber look for are the following:
- Cross-site Scripting (XSS)
- Cross-site Request Forgery
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Server-side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Open Redirect Vulnerabilities
- Access Control Issues (Insecure Direct Object Reference issues, etc)
- Exposed Administrative Panels that don't require login credentials
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Information Disclosure of Sensitive Information (such as system configurations, user data, etc)
- Publicly accessible login panels
Please note that if a vulnerability (such as XSS) only affects a small population, e.g. a browser with a low usage percentage, the reward will be determined accordingly. Vulnerabilities that exist only in antiquated browsers such as Internet Explorer 8 for example, are not in scope.
Bounty Payout Range
Critical issues ($10,000) - Remote code execution on a production server. Exposure of information that identifies individuals (social security numbers, credit card numbers, bank account numbers, driver license images) Full account takeover of rider/partner account without interaction. Payment or partner invoice information exposure at scale. Potential access to source code. XSS in Toolshed (our internal account management system), or server-side request forgery (SSRF). Vulnerabilities leading to the compromise of an employee account (with a way to bypass two-factor).
Significant Issues ($5,000) - Stored Cross-site Scripting which can cause significant brand damage (e.g. in a homepage), missing authorization checks leading to the exposure of email addresses, date of birth, names, phone numbers, etc.
Medium Issues ($3,000) - Reflected Cross-site Scripting (XSS), most Cross-site Request Forgery (CSRF) issues, access control issues which do not exposed PII but affect other accounts, rate limiting issues, account validation bypasses (being able to change driver picture, etc). Any vulnerability which allows the bulk lookup of user UUIDs (e.g. turn an auto-incrementing ID into a UUID, turn an email into a UUID).
Read more about Bug bounty program
Most important links to check next ...
Still not on uber: Uber India Sign up and get 1 free ride