[hackeroneuser]

Here is my personal take on this:

I have worked personally in numerous occasion with Uber's security team. I have helped them with many security issues and they have always been open to securing vulnerabilities, listening to hackers to make a change and even pay good payouts.

There are couple of things I want to point out to the author here:

1) You said that if these were Duplicate reports, they have to have a report number assigned. If you use HackerOne application frequently (which it does not look like you do), a report number is only assigned if it was submitted by another hacker. There are situations when internal findings are also on process on being fixed.

Uber treasure map is simply a guide. If you find something that is bypass of what they said they have, does not mean its an original finding. I work at a company where we have our own security team breaking applications every day. Sometimes hacker submit similar findings that our security team found before. In such cases, if it is a low priority issue, it will take time for us to fix because we do not prioritize it. In that case, a hacker will get a report marked as Duplicate with no report number assigned.

For the first three report that is exactly what happened.

2) Personal attack against a employee of a company will not help you anyways. You went after an employee just based on your degree. If you look closely in the industry, it is the matter of experience not degrees. I have worked with colleagues who are way smarter than me in the field and have way more experience. I never judge them based on their degree.

3) I am still not sure about your reflected XSS bug. Were you able to get a XSS actually execute? Seeing reply from Rob makes me thing you probably found a valid xss that works on an old browser. In addition, you also said you gained access to internal uChat: "I’m also able to bypass the Uber OneLogin SSO portal, resulting in source code disclosure from their internal uChat employee messaging system." but you did not prove that anywhere in your blog so I don't know if that is legit.

To conclude, considering the recent media attention at Uber due to security mishaps that occurred before, it seems to me that you are just looking for a media attention. Your title first is clickbait because 3 of your reports are duplicate so I am not sure why you expected any bounty.

To make this clear: I am a hacker in the community and an active participant in Uber's bug bounty and also in HackerOne. I have never seen Uber be unfair to hackers in the platform. Hell, to even encourage hackers, they started to pay 500 on triage.

That said, I am looking forward to your comment on this and would love to see your discussion on my points listed above.

[itsdrewmiller]

For 3) what are you not sure about? He demonstrated arbitrary DOM manipulation, and it reads like the XSS worked with some WAF avoidance. Brass tacks do you agree they should have paid out something for this?

[hackeroneuser]

I will not say anything about whether he needs to get paid or not until Uber discloses the report. If he showed that it is a valid xss and not a content injection then I guess it would be valid. But again, right now we do not have the report made public.

[unitboolean]

Even your username tells us that you are absolutely biased toward hackerone. May be you are even a staff/co-founder of hackerone.

[hackeroneuser]

My username has nothing to do with anything. I simply chose it to hide my identity. I said what I said because I hack multiple programs throughout multiple platforms. These kind of blogs usually give a sense to companies that all hackers are like these. This leaves a bad impression about what we actually do. I don't think simply having hackerone in my name will make me bias. If you check my comment, you will see I have not said that HackerOne is right and the hacker is wrong. I have simply pointed the right facts that I felt was important for everyone to see. His blog leaves out a lot of points and also misguides readers.

Hopefully this clears it to you.

[hackeroneuser]

Also, I wish I am an hackerone employee or work in any of these platforms as an employee. I am simply a hacker and also employee of a company that runs a bbp so I have in both sides and I understand frustration of both side. Being frustrated does not provide excuses to the hacker's behavior of harassing an employeee based on their degree. This community is diverse and that is what we should learn to appreciate.