Wednesday, 23 March 2016

Uber's bug bounty program is a complete sham, specific evidence entailed.

So if you weren't aware Uber recently launched a bug bounty program. Basically paying security researchers to find bugs that pose a security risk. Now fast forward a couple days, the number one rated hacker on hackerone(site that crowd sources the bounty program) @meals reports that uber changed their scope page tweet once they rejected a bunch of bugs on a specific domain tweet in order to evade payout. This not only happened to the top hacker on hackerone but also myself. I reported a xss bug and this is the conversation screenshot Imgur. They ultimately closed my bug and reopened it STATING it was a new valid bug, then closed it again. They validated it was a bug and swindled me out of a payout. A billion dollar company refuses to pay for valid bugs. We are asking for fair treatment for the security work we do and no one is holding uber's feet to the fire.



by theethicalhacker http://ift.tt/1RAuIgC

No comments:

Post a Comment