Celebrating a Year of Smashing Bugs

Rob Fletcher, security engineering manager & Lindsey Glovin, program manager

One year ago today, we launched a public bug bounty after running a private disclosure program for several years. Bug bounty isn’t always the best thing for every organization and it’s not something you should launch without serious consideration, but one year in, we believe we made the right choice for a couple of reasons.

First, a public program gives our team more opportunities to engage with researchers from different backgrounds with varying degrees of experience. We’re able to learn from the most experienced researchers while helping new researchers further develop their skills. In addition to improving internet security, bug bounty is a great way to get started in a security career and network with some of the best professionals in the world.

Opening up our program also introduced us to some very talented researchers around the world who we didn’t know before. The diversity of their experience and perspectives gives us insight into attack scenarios we hadn’t considered, significantly multiplying our ability to protect Uber users across various environments and geographic locations.

It’s been an exciting year for Uber’s security team and we’re excited to share this moment with more than 500 researchers around the world!

Metrics and Milestones

Here are some key updates on where the program currently stands:

• We’ve paid researchers more than $860,000 USD since our public launch in 2016.
• During the past year, security researchers helped us identify and fix more than 500 bugs across Uber’s portfolio of products and services.
• Our Signal to Noise Ratio (SNR) improved by 30% since August 2016. Our SNR is now 1:5.

Signal to Noise Ratio (SNR) refers to the number of legitimate issues reported compared to the total number of reports received. We calculate it as (resolved + triaged) / (informative + spam + N/A). The objective in measuring this metric over time is to reduce the volume of noisy reports without blocking legitimate reports that fall outside the expected curve. Ultimately, this means an upward trend toward a lower ratio is more significant than the static SNR.

• No single country takes the cake when it comes to the security talent we see in our program. Our top 50 researchers represent 26 different countries!

In alphabetical order: Australia, Bangladesh, Belarus, Belgium, Brazil, Bulgaria, Canada, China, Egypt, Finland, France, India, Israel, the Netherlands, Nigeria, Pakistan, Poland, Portugal, Russia, Sweden, Taiwan, Turkey, Ukraine, the United Kingdom, the United States, and Vietnam.

Twenty-six countries are represented by the top fifty researchers in Uber’s bug bounty program.

Feedback and Future Plans

Keeping the lines of communication open with researchers is a priority for our team. We love to hear from you on what’s working and what’s not. A special thank you to the hundreds of researchers who shared their feedback with us to help make our program even better.

Based on early researcher feedback, we dedicated efforts to shorten response times and add more transparency about our severity assessments and bounty decisions. Recent feedback shows the effort is paying off and we’re trending in the right direction. A lot of researchers also called out some great experiences they had with our team, specifically during the triage process. Those positive engagements mean just as much to us because it helps get to resolution faster and enables us to learn from each other. Thank you.

One of the most popular aspects of our program continues to be the Treasure Map, an overview of Uber services and tips for uncovering security issues. It helps researchers prioritize their investigations on the services and bugs we care about most, which leads to more impactful findings and higher bounties. Building on the success of the Treasure Map, we’re working on creating more resources like this in the future.

Remarkable Bugs

Across the hundreds of bugs unearthed through our program this year, we wanted to highlight a few unique ones.

• Privilege escalation in uSSH. Uber’s security team recently released its first open source security project, a pam_ssh module to enable continuous re-authentication of SSH keys. Hours after we announced this release, Solar Designer reported an issue with permissions that could allow an escalation of internal privileges. Not only was the report textbook quality with a clear and concise description of the bug, the security impact, and reproducible steps, it also lead to an interesting exploration of potential resolutions. You can read the entire thread in the HackerOne report here.
• SQLi in vendor product. We awarded several researchers this year for reporting bugs in the vendor products we use. For example, kazan71p discovered an SQLi vulnerability in an Anomali product that, while hosted outside of our infrastructure and did not expose Uber employee or user data, included a risk potential that warranted immediate attention and subsequent recognition for the researcher. Anomali worked quickly with our team to resolve the issue in a matter of days. We were very pleased with their response as vendor relationships can have a significant impact on our own supply chain security. Read the HackerOne report here.
• Ride for free on Uber. Temmyscript was one of the earliest members of our public bug bounty program and submitted one of the most unique reports we’ve received. He found a way to manipulate payment information during a trip, which would have allowed him to ride on Uber for free, indefinitely. The difference between Temmyscript’s report and others we’ve seen that reference free rides, is that the account wasn’t put into arrears so our systems weren’t flagging it for past due charges. While this had direct impact on Uber, but not users, we appreciated the creativity and technical accuracy of the report. Read the HackerOne report here.