|
|
|
|
|
|
by WUHANCLAN
2303 days ago
|
|
|
The triage was escalated to Rob Fletcher and Uber's security liaison Lindsey Glovin. You're right, Portswigger was running a promo with HackerOne. After I submitted a couple of different vulnerabilities, they then locked all of my reports and gave the $23,000 bounty award to "shubs (notaffy)" These were three critical vulnerabilities on the m.uber.com endpoint; I was able to bypass their WAF and XSS_Auditor protections followed by demonstrating reflected SSL'ized XSS under *.uber.com certificate and remote javascript execution capability. |
|
|