Having descriptions of all the various services is great.
Something I couldn't see here is that while you ask for bugs related to a variety of accounts, are there ways of creating such accounts? I can fairly easily ensure I don't poke at the normal user account of someone else, but what about drivers/businesses/etc?
More generally for HNers, are there common ways of dealing with this? Do people try and run parallel stacks that don't contain real info? Or do devs setup fake accounts?
I'm not in this business so apologies if I'm missing something really obvious.
As of this time we do not have a good system for creating test accounts for our bug bounty submitters. Please create an account as you would normally and perform testing with that account.
There are a ton of bug bounties nowadays, but it's a nice change of pace to have a company give some data on backend stack, subdomains, and purpose of the services up front.
I would love a Marauder's Map for bug bounty programs: Show me who is working on what, where they're finding bugs, and help me identify where I can most efficiently spend my time. Lots of 'feel bads' if I report a bug that's already been reported, and thus don't get a payout.
Maybe you could set up a public Slack room to discuss? I'm not involved in the bounty but it seems like a reasonable way to organize. Utilizing the search people could figure out whether anyone is working on what they're planning to do.
That could be a decent hack to get started. Ideally, I'd like for it to be a feature of hackerone et al, assuming security@ as a service providers become the point of interaction with the external security community.
1. Messages to drivers are apparently not through uber?
It seems like sending a message to a driver happens through SMS rather than through uber itself. This seems to result in driver not seeing message. Had that happen twice yesterday. Told driver exactly where I was. Driver gets lost and calls me and from conversion it's clear he never read the message.
2. Can't change your pick up point.
Ran into this yesterday. Was waiting near corner of franklin and market on market on the outbound side wanting to go to sunset area. Guy doesn't read message which specifically said turn right on market (he was on Page that lets you turn right onto market). Instead he crossed market which at that point I had to cancel the ride because it would have been another 10 minutes for him to drive the 10+ blocks to correct his mistake
That led to getting driver #2. He was coming down Gough so in the interest of making it easier for both of us I walked up to Gough. I wasn't able to change my pickup location. I messaged him that I had moved to gough and market. He called when he got to franklin and market making it clear he didn't get my message.
As an uber driver, I've never had any problems messaging passengers or receiving messages. I prefer that they go through my SMS.
The pick up point issue I have had on multiple occasions. Mostly it's that the customer enters a bad pick up point or the pick up point they enter for some reason on my end is a house or two down. When it's an apartment building the pick up point directs me towards the back of the building. But a lot of common sense and knowing my city well goes a long way.
Yes - I was visiting India last year and used Uber (ubiquitous and cheap in major cities there) and noticed that the drivers had trouble finding me. One or two of them told me that they tried to call my number (a US number on T-Mo) and their plan didn't allow it.
This very issue resulted in the Uber app telling my driver to simply stop on the side of an expressway and pick me up. I was on the other side of a fence next to that expressway, on a parallel road. But the Uber app wrongly understood which of the two parallel roads I was meant to be picked up on. If the driver could see where I was, it should have been obvious to him.
This is a hard problem, though, since a lot of jurisdictions don't allow drivers to send or receive written messages, or operate phones, while driving, and the drivers often can't pull over in time to deal with a message legally.
Their back-end switched my account with someone in London. They were able to charge trips to my account! Customer service wasn't exactly helpful either.
The going rate for critical bounties is way too small. It's upsetting to see a company worth $10+ billion offering $5k - $15k when it comes to the protection of their user's information. Just earlier this month Facebook rewarded a paltry $15k for a bug that could unlock any user's account. That sort of information in the wrong hands or resulting in a massive PII leak will cause a few orders of magnitude higher in damage to their market cap and goodwill.
And I say this from personal experience. Two years ago I submitted a bug to a $10B+ public company which revealed the personal information (email, name, home address, phone) of ~145M users and they offered $10k. Another recent example to a $50B+ public company via HackerOne that exposed the same sort of data for ~77M users. They paid out $1k. I assumed they had left off a 0, but nope, they actually told me $1k was higher than their normal bounty due to the severity. Submitted a bug to a publicly traded food delivery company in the UK, which revealed detail order history (customer name, address, email, phone, partial CC #) for their entire platform. They offered me £500 in food delivery credit. All of my submissions have been purely in good faith and nothing at all resembling extortion, but I assure you there are thousands of bad actors out there far more skilled than I.
And there's plenty of legal outlets for this information (depending on how it is accessed of course). Local governments and Lyft would love to know ridership usage details about Uber.
I always think people should get a full time position rather than earning money through bounty as a full time job. When I have time, I do play with bounty and if I am lucky I can make extra dollars. I earned one big one, but in the second one the company did not honor the payment at all, but I was cool enough to let that shit go despite what I found was critical enough to destroy their product launch that night (basically elementary web vulnerability).
Your statements are going to be attacked by the usual "you don't know shit, we have argued about this ten million times here on HN." Companies are not going to reward you with $1M (think about Instagram's 1M bug [0]). While you can't really sell this to the blackmarket and expect to overload people's credit card, this is still a P1 incident and requires a major bounty reward. I am not going to discuss about what happened in this case, but even if he did get paid he wouldn't be getting 1M.
The reason is simple: there are a lot more people willing to play this game and many believe being on some Hall of Frame is a great addition to their security professional resume.
Yeah, I get the economics of it, which unfortunately can be a good deal for the company. They get numerous people working on a hard problem for basically free. And most of us do it purely for the challenge and fun, so the reward (if any) is oftentimes irrelevant.
It's just there's such a large market for this sort of information (and I'm not talking about stolen credit cards, spam, fraud. Competitive intelligence is a huge industry) and there are many full-time security engineers whose only job is to find the holes some company is trying to outsource to bored programmers.
I have extremely limited professional experience being in the security engineering industry, but my impression of a typical security engineer within a tech company:
* advocate and standardize security practice in software development and throughout the company (if you don't have a separate IT/enterprise security team)
* write automation to enhance your security enforcement/checks prior to production deployment (check if server is running outdated kernel? nodejs version? password committed? basic web vulnerability checks? Security headers like HSTS present?)
* act as a consultant in product development (e.g. we handle this data and here is how we plan to use it, do you have any concerns and recommendations)?
* code review (besides regular product code review, most of the time there are ad-hoc request from engineers - "hey we need your expertise on writing this feature"), or because the code looks hot ("have been exploited before") and needs a sign off from a security engineer.
It is very rare to see someone in a major tech company spend the entire day reviewing code to find vulnerable bugs. You'd spend the whole day running through ASan, UBsan, bunch of fuzzers, whatever, wait for potential exploits to pop up, then you start analyzing the vulnerability, At least that's my understanding, but feel free to shine light.
I assume that Uber is not competing with black market interest in bugs, rather they are competing against interest in other bug bounty programs.
The number of people who earnestly compare rates between bounty programs and black market buyers before deciding who to inform must be vanishingly small. However, the number of people who compare bounty rewards before deciding who to test against is likely much higher.
No. YOu have to compare that number to how much you could get for that exploit on the black market. 15K seems cheap for a critical bug on a major platform.
Well the parent seemed to miss the point -- the real calculus is cost to the company if the exploit were to be used effectively, monetary benefit to the person who finds the bug, and the recognition you'd get in the blackhat community.
Yes the payout calc by company is cost to the company of an exploit, but with a repeated game scenario.
i.e. you can't look at the bug and payment in a vacuum, you have to factor in future bugs.
So the cost is the value to the company for the exploited bug if used properly plus the expected value of future bugs.
Which is weird, right? This shows companies can be internally incentivized to reduce bug bounty payments to show 'they are improving' when in fact, developers are leaving their bug bounty program.
>> It's upsetting to see a company worth $10+ billion offering $5k - $15k when it comes to the protection of their user's information. Just earlier this month Facebook rewarded a paltry $15k for a bug that could unlock any user's account. That sort of information in the wrong hands or resulting in a massive PII leak will cause a few orders of magnitude higher in damage to their market cap and goodwill.
Regardless of what you think about bug bounty valuation, it's not unfair. This has been rehashed so, so many times and rebuked by people like tptacek, thegrugq and myself that I'm just going to start pasting this comment whenever this sentiment comes up on HN:
This has been discussed many, many times on HN before. This bug would not cause Facebook much damage; in fact, Facebook and Google tend to overpay rewards for bugs for the purposes of goodwill and recruiting.
Let's examine the facts:
1. A Facebook vulnerability is dangerous to Facebook. A WordPress vulnerability is dangerous to a quarter of the internet. Facebook is not a high value target, relatively speaking.
2. A Facebook vulnerability will be patched once it is widely used. Facebook's security team is one of the strongest and most sophisticated of any company, and their processes would quickly catch this once it was used. The total impact of the bug would be negligible. You'd lose the ability to compromise accounts as soon as you tried to do it in any meaningful or lucrative way.
3. A vulnerability in Facebook might last a week before being patched, but a vulnerability in PHP will persist on the internet for years. No matter how many individual sites patch their servers, you'll still be able to pop a lonely server with social security numbers chugging along in a closet somewhere.
There really isn't much more to say about this. People claim bounties awarded by Facebook/Google/et al are undervalued every single time a bug bounty hits the front page of HN. Every single time, someone who is in the security industry patiently explains why it's not that valuable.
If someone tried to go to a blackhat group or go to the "black-market" (a shadowy, lucrative place that never seems to be very well-defined in these conversations), he would not even be able to find a seller, let alone one who would pay a lot.
What do you imagine someone would pay for this on the black-market? They'd need to profit from it. How much profit is worth their time?
Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software.
Do you use the same (de)value justification when billing clients for your security services? Or, maybe, it's precisely because you're all security professionals who make a living by identifying security flaws and you'd prefer not to introduce competition from the open market. Unattractive bug bounties ensure you can justify your services.
Just like Uber is to the taxi industry, bug bounties are a disruption to your own business model.
I can understand why you'd believe this, but I am actually a fan of bug bounty programs. I have both participated in and managed bug bounty programs before and I think they are absolutely a win for our industry. Frankly, they occupy a different market positioning than my own work.
Of course, you're free to believe or disbelieve that, but each of my points stand on their own weight regardless of my own occupation.
But then wouldn't be a crime if you make a hint to FB to get leverage for more reward? Actually, before it turns into an authority call, FB would disqualify you right away.
So the first 'season' of the bug bounty is 90 days long, and to qualify for payment you need to find 4 bugs before you can be eligible for payment? That seems initially quite off putting.
I had to read that part twice as well. It seems that it's in addition to whatever they are offering 'per bug' - you basically get a 10% bonus on the average of everyone else's payouts.
So for example:
Bug 1 - $2k
Bug 2 - $3k
Bug 3 - $6k
Bug 4 - $1.5k
Bug 5 - $2k + 10% of total commuity average payout as bonus
Laying out all their services and telling you what each runs on...ballsy. It's the electronic equivalent of telling strangers where you live and who built the house.
Security through obscurity will not get you very far. This map just removes that false protection and potentially gets more bug hunters' eyes on their services.
As someone whose not really familiar with Uber except at a high level overview kind of way, does anyone know their reasoning behind not wanting a path from email to uuid as a unique concern to them?
My guess is that they're trying to avoid people who've acquired a list of email addresses being able to trivially work out which of those addresses have Uber accounts. With that information one could target only those accounts with phishing attacks and the like with potentially fewer people flagging those emails as suspicious.
"What to look for" part sort of did not make any sense. If the security engineers at Uber has a sense of where the vulnerabilities might come from, they might as well seek those themselves.
I don't think anybody would say "oh yeah we were expecting some security bug to arise from this code". I thought the point of security issues is, they show up from places where you wouldn't even expect. I might be wrong.
As an almost complete beginner how would I get to the point of being able to consistently find security issues where they exist? I've got enough experience as a developer to avoid the most common vulnerabilities, but I don't really know how I'd go about approaching things from the other direction to surface potentially undiscovered issues.
Something I couldn't see here is that while you ask for bugs related to a variety of accounts, are there ways of creating such accounts? I can fairly easily ensure I don't poke at the normal user account of someone else, but what about drivers/businesses/etc?
More generally for HNers, are there common ways of dealing with this? Do people try and run parallel stacks that don't contain real info? Or do devs setup fake accounts?
I'm not in this business so apologies if I'm missing something really obvious.