| (Wrote about this on reddit but I think it is pending approval, reposting here) Hi - I work on the security team at Uber. I am this guy: techcrunch.com/2016/03/22/uber-launches-bug-bounty-program-that-pays-hackers-to-find-security-issues/ Yesterday we changed the language on our bug bounty page and I wanted to apologize for the confusion this caused. Since we launched our public bug bounty program on Tuesday, we have been reacting to the types of issues sent in and learning how to better define what we are looking for. This change was part of that, and not an effort to prevent anyone from earning bounties. The reason we clarified is so security researchers, whose time is valuable, wouldn't spend time on lower-risk issues like microsites that are unlikely to get a reward. To Sean’s points about microsites, a microsite is usually a blog type site that rarely contains Uber user data and lives outside the Uber network. As such, even in cases where microsites are vulnerable, they pose a mild security risk to Uber which is why we clarified in our policy page to say that we do not reward them “except in extraordinary circumstances”. Sean also mentions that they are lower in severity: https://twitter.com/seanmeals/status/712975867236974592. Although the intent around microsites didn’t change, the language did. I apologize for this and we could have done better. To the specific issue raised in your post, we have made it public: https://hackerone.com/reports/124975. As you mention, the payload does not fire so this is not a security concern. A successful bug bounty rests on researchers trusting us to run it well, which we take very seriously. All the members of team running this program are part of the security community and many of us (mjb(1), jordan(2), rob(3)) actively submit to other bug bounty programs or perform security research as a hobby. We have awarded nearly a hundred issues via our pilot bug bounty program so far and we are excited to payout more in the future. Our aim is to build a program by researchers, for researchers. I want to personally thank you for taking the time to submit your issue -- and any future issues. You can always see the scope and rules of our bug bounty program at https://hackerone.com/uber and you can feel free to mention my name in any reports to HackerOne to get my attention about an issue. 1. https://www.blackhat.com/us-15/briefings.html#bypass-surgery...
2. http://blog.saynotolinux.com/
3.https://www.google.com/about/appsecurity/hall-of-fame/archiv... |