Bug Bounty Update

Lindsey Glovin, Security Analyst, Product Security & Rob Fletcher, Product Security Engineering Manager

Over the last few months, we’ve been working on some important updates to our program. We’re updating the legal terms and providing more information about our expectations for engaging with Uber’s Bug Bounty Program. We’re also pleased to better leverage our platform to drive positive changes in the community.

To that end, we have a few things to share with everyone today.

Current Program Stats

Since our last update, we’ve paid over $290,000 and resolved nearly 200 issues, bringing the all-time total payout to more than $1.4 million.

As we’ve shared before, one of the things we’re continually working on is maintaining a healthy Signal to Noise Ratio (SNR) and we continue to make progress on this front. While the volume of reports we receive on a regular basis is trending down, the percentage of paid reports continues to increase, meaning we’re spending more time triaging and rewarding valid reports.

Program Changes

Updated Terms

Our new terms provide our technical scope and program terms in a single location for researchers to review. The new terms provide more specific guidance on what good faith vulnerability research looks like and what type of conduct falls outside that. We’ve also added specific instructions on what to do if a researcher comes in contact with user data while researching vulnerabilities.

We also want to provide a clear safe harbor for researchers acting in good faith. Our updated policy states:

If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program.

Payout Bonus for Proof of Concept

We are also offering researchers an additional $500 on top of the final bounty for their resolved report if they include a fully scripted POC in their original report. This will allow us to quickly and thoroughly test issues once they are resolved, and run the POC again down the line to ensure there have not been regressions.

Charity Matching Pilot

Starting today, when a researcher chooses to donate their bounty from Uber to a charity through the HackerOne platform, our security team will match these donations up to $100,000. Once we hit that milestone, we’ll evaluate how the program is going, seek feedback from researchers, and determine whether we need to make any changes before expanding our contribution. Several leading bug bounty programs offer charitable matching already and our hope is for this to become a permanent part of our program.