Uber explains itself after 'moving the goalposts' on its new bug bounties

It has been less than a week since Uber launched its bug bounty program and already security researchers are calling foul.

The taxi app biz teamed up with HackerOne to run the scheme, which promises to pay out up to $10,000 for bugs, and 10 per cent loyalty bonus on top of that for those who submit five bugs or more.

So HackerOne's top bug finder Sean Melia went to work on Uber's code, and found a few problems. After he reported the first one to Uber, the multibillion-dollar company changed the rules.

"They stated they wanted 'publicly accessible login panels' as well as 'exposed administrative panels and ports (excluding OneLogin)'," Melia told The Register today.

"So I reported one issue and it was triaged, basically stating that the bug has been approved. At that point I took the initiative to find as many other similar instances that I could report to them. After I did that Uber updated their scope documentation, which made my bugs invalid, so it was kind of like a bait and switch."

What type of vulnerabilities is Uber looking for?
[..snip..]
Publicly accessible login panels

hehe just kidding - Uber

— Sean Melia (@seanmeals) March 24, 2016

Melia said he wasn't expecting a massive payout for the bug, maybe $50 or so, because it wasn't that big an issue and he'd only been doing basic reconnaissance work at that stage. He said that he'd wished Uber had let researchers know about the rule change rather than tweaking the wording silently, and said he won't be participating further, preferring instead to analyze other companies' code.

Another researcher, Eric Angeles, also reported a flaw for which he said he wasn't paid. He has since acknowledged that his JavaScript payload to exploit the bug wouldn't fire and has withdrawn his complaint.

Collin Greene, Uber's security engineering manager, said the rules were changed to stop researchers wasting their time on minor bugs.

"Yesterday we changed the language on our bug bounty page and I wanted to apologize for the confusion this caused," said Greene in a statement.

"Since we launched our public bug bounty program on Tuesday, we have been reacting to the types of issues sent in and learning how to better define what we are looking for. This change was part of that, and not an effort to prevent anyone from earning bounties. The reason we clarified is so security researchers, whose time is valuable, wouldn't spend time on lower-risk issues like microsites that are unlikely to get a reward."

Greene said the microsite issue Melia raised wasn't an exploitable security vulnerability, and as such didn't qualify for a bounty "except in extraordinary circumstances." Melia told El Reg he was happy with the response.

"A successful bug bounty rests on researchers trusting us to run it well, which we take very seriously," Greene concluded.

"All the members of team running this program are part of the security community and many of us actively submit to other bug bounty programs or perform security research as a hobby. We have awarded nearly a hundred issues via our pilot bug bounty program so far and we are excited to payout more in the future." ®