Tuesday , 19 June 2018
Home >> C >> Communications >> Uber accused of changing scope of bug bounties to avoid payouts

Uber accused of changing scope of bug bounties to avoid payouts

Uber not paying for bounties it said it would, claim ethical hackers

BLACK CAB NEMESIS Uber has created a new bunch of enemies after hackers accused the firm of moving the goal posts on a recently launched bug bounty programme to avoid paying for discoveries.

Uber launched a bug bounty programme earlier this week, promising payouts as high as $10,000 for critical vulnerabilities.

However, in the few days since launch the company has apparently started changing the scope of how it rates bugs, seemingly to avoid paying out.

Top rated HackerOne community hacker Sean Melia tweeted that he had seen this happen after submitting a bug:

Some questioned whether Melia had found bugs that really warranted a reward, but he, somewhat understandably, pointed out that if what he found was considered within the scope of the bug bounty programme at the time of submission a payout should be forthcoming.

Another hacker with the monkier ‘theethicalhacker’ took to Reddit to report a similar case.

“I reported a xss bug and this is the conversation screenshot Imgur. They ultimately closed my bug and reopened it STATING it was a new valid bug, then closed it again. They validated it was a bug and swindled me out of a payout,” they wrote.

“A billion dollar company refuses to pay for valid bugs. We are asking for fair treatment for the security work we do and no-one is holding Uber’s feet to the fire.”

In response Uber said that while it thanked the research for the findings they were low severity and did not impact its overall security.

“This researcher found, as he said himself, a collection of low severity issues. Our bug bounty program financially rewards submissions that have a security impact to our system. But we always welcome researchers sharing any findings and we thank him for his work.”

Whoever consider themselves in the right, the incidents will join the growing list of gripes white hat hackers have with bug bounty programmes, such as low payouts, refusal to acknowledge discoveries and fixing bugs without issuing rewards. µ



Share this:

close
==[ Click Here 1X ] [ Close ]==