Uber Bug Bounty Program Terms

The scope for Uber’s Bug Bounty program is inclusive of most of our assets. If it’s not out of scope, and it’s impactful, it’s in scope. If you find something that would be impactful to our users, we want to hear about it. Issues without security impact submitted to our program will be closed out - please review our out of scope section before submitting.

Your participation in our Bug Bounty Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us (making a “Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).

Ground Rules

• Research and disclose in good faith.
• Respect our users’ privacy.
• No extortion, shake downs, or duress.
• Don’t leave any system in a more vulnerable state than you found it.
• Don’t publicly disclose a vulnerability without our consent and review.
• Be respectful when interacting with our team, and our team will do the same.

Table of Contents

• Good Faith Vulnerability Research and Disclosure
• Eligibility to Participate
• Submissions and Report Quality
• Security Impact Buckets
• Bounty Amounts
• Out-of-Scope
• Confidentiality
• Rights and Licenses

Good Faith Vulnerability Research and Disclosure

You must act in good faith when investigating and reporting vulnerabilities to us. Acting in good faith means that you will:

Play by the rules. This includes the Program Terms, Uber Terms of Use, and any terms and conditions for Uber’s in-scope domains. If there is any inconsistency between these Program Terms and any of Uber’s other terms, the program terms described on this page will control.

Respect our users’ privacy. You should only interact with Uber accounts you own or with explicit permission from the account holder. We want you to hunt for bugs, not user data. If you encounter user information during the course of your research:

• Stop right there. Actions taken beyond this are not authorized.
• Report this immediately to our Bug Bounty team so we can investigate.
• Do not save, copy, store, transfer, disclose, or otherwise retain the information.
• Work with us if we have any further requests.

Don’t extort us. You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached.

Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. This means that you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.

If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program.

Failure to act in good faith will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any benefit of the Bug Bounty Program.

If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Bug Bounty team.

Eligibility to Participate

To be eligible to participate in our Bug Bounty Program, you must:

• Be at least 18 years of age if you test using an Uber account.
• Not be employed by Uber or any of its affiliates or an immediate family member of a person employed by Uber or any of its affiliates.
• Not be a resident of, or make Submissions from, a country against which the United States has issued export sanctions or other trade restrictions.
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program.
• Not be using duplicate HackerOne accounts.

If (i) you do not meet the eligibility requirements above; (ii) you breach any of these Program Terms or any other agreements you have with Uber or its affiliates; or (iii) we determine that your participation in the Bug Bounty Program could adversely impact us, our affiliates or any of our users, employees or agents, we, in our sole discretion, may remove you from the Bug Bounty Program and disqualify you from receiving any benefit of the Bug Bounty Program.

Submissions and Report Quality

High quality submissions allow our team to better understand the issue and relay the bug to the internal team to fix. The best reports provide enough actionable information to verify and validate the issue without any follow up clarifying questions.

• Check the scope page before you begin writing your report to ensure the issue you are reporting is in scope for the program.
• Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible for our team to reproduce the issue (include screenshots if possible).
• Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better. We cannot payout after the fact if we don’t have evidence and a mutual understanding of security impact.
• In some cases, it may not be possible to have all of the context on the impact of a bug. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask.
• Video only proof-of-concepts (PoCs) will not be considered.
• A vulnerability must be verifiable and reproducible for us to be considered in-scope.

Security Impact Buckets

We use “impact buckets” to categorize vulnerabilities, and each impact bucket has several different factors that we use to determine the overall severity and likelihood of the issue.

Data Exposure : the ability to access user data, employee data, or sensitive Uber business data without having an authorized relationship with the Victim or the company.

• Factors considered may include:
  • Number of impacted users
  • Sensitivity of data exposed
  • Scale of exposure

Unauthorized Actions on Behalf of User : the ability to forge authenticated actions on behalf of a Victim.

• Factors considered may include:
  • Ability to modify data on behalf of another user
  • Severity of forged actions
  • Possibility of account takeover
  • Level of privilege/access obtained
  • Actions noticeable by victim

Unauthorized Actions on Behalf of Uber : the ability to forge authenticated actions on behalf of Uber.

• Factors considered may include:
  • Actions performed by the authenticated request
  • Level of privilege/access obtained
  • Service interruption
  • Requires brute forcing

Monetary Impact : the ability to cause monetary impact to Uber or Uber users through a technical vulnerability.

• Factors considered may include:
  • Financial impact
  • Service interruption
  • Number of impacted users
  • Requires multiple accounts

Social Engineering : the ability to carry out targeted and convincing phishing on Uber users. (Note: Almost all examples of social engineering end up out-of-scope; see below.)

• Factors considered may include:
  • Sensitivity of data exposed
  • Number of users impacted
  • Possibility of account takeover
  • Ability to control content
  • Existence of rate limiting

Physical Safety : the ability to bypass physical safety controls through a technical vulnerability -- the key aspect of these reports is that there exists a technical vulnerability in our services.

• Factors considered may include:
  • Potential to cause physical harm
  • Number of users potentially impacted

Bounty Amounts

Previous bounty amounts are not considered a precedent for future bounty amounts.
Bounty awards are not additive and are subject to change as our internal environment evolves. We determine the upper bound for security impact and award based on that impact.

We focus bounty amounts on the security impact of any given issue -- things that influence security impact are the scale of exposure and the various mitigating and multiplying factors.

We recognize that researchers value receiving bounties sooner than later, but basing payouts on security impact often requires us to get to resolution before we completely understand the potential security impact. To accomplish both of these needs, we have a hybrid model where we pay out our $500 minimum bounty at time of triage and then full bounty at resolution once we completely understand security impact. In the unlikely event that we're unable to tell at the time of triage if a Submission is within scope, we will hold off on awarding the minimum bounty until we're able to confirm.

Bounty payouts and amount, if any, will be determined by us in our sole discretion. In no event are we obligated to provide a payout for any Submission. The format, currency and timing of all bounty payouts shall be determined by us in our sole discretion. You are solely responsible for any tax implications related to any bounty payouts you may receive.

If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.

Out-of-Scope

• Must demonstrate security impact for report to be considered - general software bugs are not in scope for this program.

• Fraud reports are no longer in scope. This includes reports detailing the ability to take free rides and evade payment. Please send all fraud-related issues toexternal-fraud-reports-group@uber.com

• Most Social Engineering

  • Physical or social engineering attempts (this includes phishing attacks against Uber employees)
  • Ability to send push notifications/SMS messages/emails without the ability to change content
  • Ability to take over social media pages (Twitter, Facebook, Linkedin, etc)
  • Entering the Uber offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.

  • Negligible security impact

  • Unchained open redirects

  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • Highly speculative reports about theoretical damage
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Subdomain takeovers - please demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username
  • CSV injection
  • Best practices concerns
  • Protocol mismatch
  • Exposed login panels
  • Dangling IPs
  • Vulnerabilities that cannot be used to exploit other users or Uber -- e.g. self-xss or having a user paste JavaScript into the browser console
  • Content injection issues
  • Missing cookie flags on non-authentication cookies
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores
  • Issues that require physical access to a victim’s computer/device
  • Stack traces
  • Path disclosure
  • Directory listings
  • Banner grabbing issues (figuring out what web server we use, etc.)
  • If a site is abiding by the privacy policy, there is no vulnerability.

  • Enumeration/account oracles

  • UUID enumeration of any kind

  • Invite/Promo code enumeration
  • Gift card enumeration
  • Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Uber account exists
  • Distributed denial of service attacks (DDOS)

Out-of-scope domains

• support-uber.com
• lioncityrentals.com.sg
• xchangeleasing.com
• *.uber.com.cn domains or any other properties relating to Uber in China, since they belong to Didi Chuxing
• uber.onelogin.com (OneLogin runs their own bug bounty program and any vulnerabilities for OneLogin should be reported to them)
• bizblog.uber.com
• newsroom.uber.com
• love.uber.com
• drive.uber.com
• eng.uber.com
• people.uber.com
• *.et.uber.com

Confidentiality

Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.

Rights and Licenses

We may modify the Program Terms or cancel the Bug Bounty Program at any time.

By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.

By making a Submission, you give us the right to use your Submission for any purpose.