The scope for Uber’s Bug Bounty program is inclusive of most of our assets. If it’s not out of scope, and it’s impactful, it’s in scope. If you find something that would be impactful to our users, we want to hear about it. Issues without security impact submitted to our program will be closed out - please review our out of scope section before submitting.
Your participation in our Bug Bounty Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us (making a “Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).
You must act in good faith when investigating and reporting vulnerabilities to us. Acting in good faith means that you will:
Respect our users’ privacy. You should only interact with Uber accounts you own or with explicit permission from the account holder. We want you to hunt for bugs, not user data. If you encounter user information during the course of your research:
Don’t extort us. You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached.
Don’t cause more harm than good. You should never leave a system or users in a more vulnerable state than when you found them. This means that you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.
If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program.
Failure to act in good faith will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any benefit of the Bug Bounty Program.
If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Bug Bounty team.
To be eligible to participate in our Bug Bounty Program, you must:
If (i) you do not meet the eligibility requirements above; (ii) you breach any of these Program Terms or any other agreements you have with Uber or its affiliates; or (iii) we determine that your participation in the Bug Bounty Program could adversely impact us, our affiliates or any of our users, employees or agents, we, in our sole discretion, may remove you from the Bug Bounty Program and disqualify you from receiving any benefit of the Bug Bounty Program.
High quality submissions allow our team to better understand the issue and relay the bug to the internal team to fix. The best reports provide enough actionable information to verify and validate the issue without any follow up clarifying questions.
We use “impact buckets” to categorize vulnerabilities, and each impact bucket has several different factors that we use to determine the overall severity and likelihood of the issue.
Data Exposure : the ability to access user data, employee data, or sensitive Uber business data without having an authorized relationship with the Victim or the company.
Unauthorized Actions on Behalf of User : the ability to forge authenticated actions on behalf of a Victim.
Unauthorized Actions on Behalf of Uber : the ability to forge authenticated actions on behalf of Uber.
Monetary Impact : the ability to cause monetary impact to Uber or Uber users through a technical vulnerability.
Social Engineering : the ability to carry out targeted and convincing phishing on Uber users. (Note: Almost all examples of social engineering end up out-of-scope; see below.)
Physical Safety : the ability to bypass physical safety controls through a technical vulnerability -- the key aspect of these reports is that there exists a technical vulnerability in our services.
Previous bounty amounts are not considered a precedent for future bounty
Bounty awards are not additive and are subject to change as our internal environment evolves. We determine the upper bound for security impact and award based on that impact.
We focus bounty amounts on the security impact of any given issue -- things that influence security impact are the scale of exposure and the various mitigating and multiplying factors.
We recognize that researchers value receiving bounties sooner than later, but basing payouts on security impact often requires us to get to resolution before we completely understand the potential security impact. To accomplish both of these needs, we have a hybrid model where we pay out our $500 minimum bounty at time of triage and then full bounty at resolution once we completely understand security impact. In the unlikely event that we're unable to tell at the time of triage if a Submission is within scope, we will hold off on awarding the minimum bounty until we're able to confirm.
Bounty payouts and amount, if any, will be determined by us in our sole discretion. In no event are we obligated to provide a payout for any Submission. The format, currency and timing of all bounty payouts shall be determined by us in our sole discretion. You are solely responsible for any tax implications related to any bounty payouts you may receive.
If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.
Must demonstrate security impact for report to be considered - general software bugs are not in scope for this program.
Fraud reports are no longer in scope. This includes reports detailing the ability to take free rides and evade payment. Please send all fraud-related issues firstname.lastname@example.org
Most Social Engineering
Negligible security impact
Unchained open redirects
UUID enumeration of any kind
*.uber.com.cndomains or any other properties relating to Uber in China, since they belong to Didi Chuxing
uber.onelogin.com(OneLogin runs their own bug bounty program and any vulnerabilities for OneLogin should be reported to them)
Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.
We may modify the Program Terms or cancel the Bug Bounty Program at any time.
By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.
By making a Submission, you give us the right to use your Submission for any purpose.
The progam has been crawled by Firebounty on 2016-03-22 and updated on 2019-11-27, 1198 reports have been received so far.