#BugBounty.. I started with it a few months back. The real challenge that a newbie bounty hunter face is the “Competition”. Whenever a new program is announced on hackerone or bugcrowd, within a very few hours, 100s of reports are being submitted. All the low hanging fruits are gone! But I wanted to grab some from my fellow hunters. Here’s the story how I got lucky with Uber recently.
I don’t get any special if I do the same thing that everyone else does.
I planned my strategy. Let’s not concentrate on the bounty “money” and let’s go no-bounty. I started with the public program from the world’s known brands, who offer only Hall of Fame or Thanks. That worked!! Got succeeded with Nokia, Sony, HTC & others.
But something better was written in my destiny. When I found that Uber has a hall of fame on www.uber.com/security (which now redirects to their HackerOne program), I dreamed of getting on there. Started hunting their application. The same night, I was able to find one Reflected Cross-Site Scripting (XSS) issue on their main domain. That was pretty easy to find. One of my favorite scanners gave me a hint while I was doing manual testing on the other side. When verified, I found it was a valid security bug. I was not much excited because I’m just getting my name on to their hall of fame.
Prepared a report with the bug description, steps to reproduce, the risk and the mitigations and sent it to security-abuse@uber.com as mentioned on their website. Had to sleep immediately as it was late already. Went to office next day. The next day evening there were two interesting emails in my inbox. One was from Hackerone and another was from Uber Security team. Obviously I opened the Uber email first. It read as
Oooh!! Private Program?! Then I realized within few seconds that the other email from HackerOne was the same invitation. It was true when I checked the other email. That’s my very first Private Bounty Program invitation!
I pasted the same report that I sent over email, in to a HackerOne Report and Submitted it. Within few minutes Mathew acknowledged the bug by moving the state to Triaged. The means the bug was considered and the dev team will be asked to fix after further investigation. I was very much excited then, but I was not supposed to talk about this to anybody else as it is a private program. After a month I learnt that the program went to Public. Now I can at least say somebody that Uber bug bounty exists!
Around 40 days after the reporting, the status was changed to Resolved and I was asked to confirm the fix. I verified and it was all good. I requested for Public Disclosure of the report. I was told to wait somedays for the bounty as they will reward in batch. As Reflected XSS is a medium risk security issue, I was expecting some $300 to $500.
Then something strange happened which changed my luck!! Uber announced something called “Loyalty Program” and also increased the payouts for bugs. That put reflective XSS into $3000 but I was not aware of this bonus program until I see the email from HackerOne about being rewarded for $3000!! First I thought I saw $300 but fraction of seconds later I couldn’t believe my eyes, it was 3k!! My report was also agreed for Public Disclosure.
As it was my first pay from HackerOne, I had to fill up all the tax forms & paypal account details. 6-8 days later $3k was credited to my paypal account. After the conversion into INR, finally Rs.1 ,92,629.95 was credited to my Indian bank account.
So this how I was lucky with Uber. You can find the actual HackerOne report here.
Wish me all the best with my next hunting!!
Congratulation Pavan.
Hey awesome Pawan. Keep it going