Bug Bounty Improvements: More Money, Faster
Rob Fletcher, security engineering manager
Today, at the Hack in the Box (HiTB) Conference, we announced two improvements to our bug bounty program:
- Larger Minimum Payments — We’ve increased the minimum payment for legitimate bug reports from $100 USD to $500 USD. A few weeks ago, we published a recap from our program’s first year as a public bug bounty. We reported a 30 percent improvement in our Signal to Noise Ratio (SNR), which indicates a significant reduction in the volume of noisy versus legitimate reports. As a result, our team spends less time on illegitimate or low impact reports and we’re able to reallocate these resources to rewarding researchers.
- More Immediate Rewards — For eligible reports, we are now awarding the minimum bounty ($500 USD) at the time of triage and will send the remaining bounty when the issue is resolved. We appreciate the continued patience of researchers whose reports help us thoroughly investigate complex issues and identify long-term, sustainable fixes. This new process enables us to recognize researchers’ efforts while we work to investigate the full impact of an issue. (We are contacting researchers with eligible reports currently in triage to award them the new minimum retroactively.)
These improvements are live and reflected in our updated program terms here.
Also at HiTB, we shared additional insight into how our internal team works and how researchers can maximize their experience with our program. You might have heard similar feedback from other bug bounty teams because, by and large, these are universal pain points of public programs designed to support participation from an ever-expanding research community.
Focus on Protecting People.
When considering the security impact of a report, exposure of user data is the top priority. After that, we consider the scale of exposure and the specific content exposed. For scale, we look at how many users were or could potentially have been impacted as a result of the vulnerability, e.g. is it easy to exploit at a large scale? As the scale increases so does the security impact of the report. With regards to content, we look at the severity of data that could have been exposed. Reports that expose Uber user data will always be our priority. From this perspective, reports that only demonstrate monetary impact to Uber (e.g. fraud), while sometimes interesting, are usually evaluated as less severe and out of scope for our bug bounty program.
The Best Reports are Succinct and Reproducible.
Bug bounty teams need two very clear pieces of information in every report: a proof of concept and steps to reproduce it. Hyped descriptions, overly complicated explanations, or reports combining multiple bugs require extra time for our team to parse through reports and identify the details that matter so we can investigate the correct issue. Be brief in your description of the bug, include clear instructions for reproduction, and submit separate reports for each bug. Better reproducibility means we can evaluate and fix the issue much faster, leading to faster a payout for researchers. Reports must be complete to be considered for a bounty. Being first to report an issue is not enough if you don’t include actionable details for the triage team to evaluate it. The first researcher to report an issue AND include the necessary information is awarded the bounty.
Professionalism. Period.
Our primary goal with each report is to quickly identify and fix high risk bugs that impact Uber riders and drivers. Second only to that, we also want to establish respectful relationships with researchers as peers. Asynchronous digital communication — not to mention different language and cultural context — is hard enough for discussing complex concepts. Unprofessional or abusive behavior makes it that much harder for our triage team to understand the full risk and proper prioritization of reports, which can result in a lower bounty. We assume best intent from researchers and expect the same in return.
Finally, thank you to all the researchers whose high quality reports help keep our SNR in check! Your valuable contributions allow us to continuously make improvements to the program.