COMMSEC: UberBounty: Bug Bounty from a Program’s Perspective

PRESENTATION SLIDES (PDF)

This talk will give researchers insight into a program’s perspective on bug bounty. First, we identify characteristics of a successful bug bounty researcher. Then we’ll dive into some specific example reports with the goal of understanding why some reports are more valuable than others – researchers should expect to understand which types of reports are highest ROI for their time and effort.

Finally, we will give researchers insight into the why/how around our recent program updates.

Characteristics of a successful bb researcher

* Report quality: reproducibility, succinct write-up w/ HTTP requests/responses, document current understanding of security impact
* Communication: kindness, patience, empathy
* Security impact: how would you exploit this? is this monetary impact to Uber or exposure of user data? are there mitigating factors that reduce severity?

Which reports are most valuable and why

* Less valuable bugs: promo code fraud; taking a free ride/sandwich; open redirects
* Most valuable bugs: account take Over (oauth redirects, password resets); authorization issues relating to user data; RCE (because potential user data exposure)

Program updates

* Increasing our minimum bounty
* Change in when we issue bounties

COMMSEC
Location: Track 4 / CommSec Date: April 14, 2017 Time: 12:15 pm - 12:45 pm Rob Fletcher