Uber Engineering Bug Bounty: The Treasure Map

Having descriptions of all the various services is great.<p>Something I couldn&#x27;t see here is that while you ask for bugs related to a variety of accounts, are there ways of creating such accounts? I can fairly easily ensure I don&#x27;t poke at the normal user account of someone else, but what about drivers&#x2F;businesses&#x2F;etc?<p>More generally for HNers, are there common ways of dealing with this? Do people try and run parallel stacks that don&#x27;t contain real info? Or do devs setup fake accounts?<p>I&#x27;m not in this business so apologies if I&#x27;m missing something really obvious.

There are a ton of bug bounties nowadays, but it&#x27;s a nice change of pace to have a company give some data on backend stack, subdomains, and purpose of the services up front.<p>Great move on Uber&#x27;s part!

I would love a Marauder&#x27;s Map for bug bounty programs: Show me who is working on what, where they&#x27;re finding bugs, and help me identify where I can most efficiently spend my time. Lots of &#x27;feel bads&#x27; if I report a bug that&#x27;s already been reported, and thus don&#x27;t get a payout.

How about UX bugs<p>Like:<p>1. Messages to drivers are apparently not through uber?<p>It seems like sending a message to a driver happens through SMS rather than through uber itself. This seems to result in driver not seeing message. Had that happen twice yesterday. Told driver exactly where I was. Driver gets lost and calls me and from conversion it&#x27;s clear he never read the message.<p>2. Can&#x27;t change your pick up point.<p>Ran into this yesterday. Was waiting near corner of franklin and market on market on the outbound side wanting to go to sunset area. Guy doesn&#x27;t read message which specifically said turn right on market (he was on Page that lets you turn right onto market). Instead he crossed market which at that point I had to cancel the ride because it would have been another 10 minutes for him to drive the 10+ blocks to correct his mistake<p>That led to getting driver #2. He was coming down Gough so in the interest of making it easier for both of us I walked up to Gough. I wasn&#x27;t able to change my pickup location. I messaged him that I had moved to gough and market. He called when he got to franklin and market making it clear he didn&#x27;t get my message.

The going rate for critical bounties is way too small. It&#x27;s upsetting to see a company worth $10+ billion offering $5k - $15k when it comes to the protection of their user&#x27;s information. Just earlier this month Facebook rewarded a paltry $15k for a bug that could unlock any user&#x27;s account. That sort of information in the wrong hands or resulting in a massive PII leak will cause a few orders of magnitude higher in damage to their market cap and goodwill.<p>And I say this from personal experience. Two years ago I submitted a bug to a $10B+ public company which revealed the personal information (email, name, home address, phone) of ~145M users and they offered $10k. Another recent example to a $50B+ public company via HackerOne that exposed the same sort of data for ~77M users. They paid out $1k. I assumed they had left off a 0, but nope, they actually told me $1k was higher than their normal bounty due to the severity. Submitted a bug to a publicly traded food delivery company in the UK, which revealed detail order history (customer name, address, email, phone, partial CC #) for their entire platform. They offered me £500 in food delivery credit. All of my submissions have been purely in good faith and nothing at all resembling extortion, but I assure you there are thousands of bad actors out there far more skilled than I.<p>And there&#x27;s plenty of legal outlets for this information (depending on how it is accessed of course). Local governments and Lyft would love to know ridership usage details about Uber.

So the first &#x27;season&#x27; of the bug bounty is 90 days long, and to qualify for payment you need to find 4 bugs before you can be eligible for payment? That seems initially quite off putting.

Laying out all their services and telling you what each runs on...ballsy. It&#x27;s the electronic equivalent of telling strangers where you live and who built the house.

As someone whose not really familiar with Uber except at a high level overview kind of way, does anyone know their reasoning behind not wanting a path from email to uuid as a unique concern to them?

&quot;What to look for&quot; part sort of did not make any sense. If the security engineers at Uber has a sense of where the vulnerabilities might come from, they might as well seek those themselves.<p>I don&#x27;t think anybody would say &quot;oh yeah we were expecting some security bug to arise from this code&quot;. I thought the point of security issues is, they show up from places where you wouldn&#x27;t even expect. I might be wrong.

As an almost complete beginner how would I get to the point of being able to consistently find security issues where they exist? I&#x27;ve got enough experience as a developer to avoid the most common vulnerabilities, but I don&#x27;t really know how I&#x27;d go about approaching things from the other direction to surface potentially undiscovered issues.

It shows quite a bit of wisdom that they&#x27;ve acknowledged the internal undocumented mobile API to be the greatest surface area for attacks.<p>Even if they are certificate pinning, aren&#x27;t there jailbreak ways to disable that?

Only $10k for a remote code execution bug?