This talk will give researchers insight into a program’s perspective on bug bounty. First, we identify characteristics of a successful bug bounty researcher. Then we’ll dive into some specific example reports with the goal of understanding why some reports are more valuable than others – researchers should expect to understand which types of reports are highest ROI for their time and effort.
Finally, we will give researchers insight into the why/how around our recent program updates.
Characteristics of a successful bb researcher
* Report quality: reproducibility, succinct write-up w/ HTTP requests/responses, document current understanding of security impact
* Communication: kindness, patience, empathy
* Security impact: how would you exploit this? is this monetary impact to Uber or exposure of user data? are there mitigating factors that reduce severity?
Which reports are most valuable and why
* Less valuable bugs: promo code fraud; taking a free ride/sandwich; open redirects
* Most valuable bugs: account take Over (oauth redirects, password resets); authorization issues relating to user data; RCE (because potential user data exposure)
Program updates
* Increasing our minimum bounty
* Change in when we issue bounties