BugHunters — Bug Bounty Platform
    Back to Programs
    Uber

    Uber

    Mobility

    Global mobility and delivery platform connecting riders with drivers and offering food delivery through Uber Eats.

    https://uber.com

    Max Reward

    $50,000

    Total Paid

    $3,200,000

    Resolved

    456

    Avg Response

    2 days

    In-Scope Assets

    uber.com

    Rider and driver web platforms

    Uber API

    Ride, delivery, and freight APIs

    Uber Apps

    Rider, Driver, and Eats mobile apps

    Uber Eats

    Food delivery platform and merchant tools

    Out of Scope

    • Uber Freight logistics partners
    • Physical driver centers
    • Marketing campaigns

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    UBER-001Fare manipulation via GPS spoofing in rider API
    Critical
    Open
    		$10,000–$50,0000
    UBER-002Driver identity verification bypass in onboarding flow
    High
    In Review
    		$5,000–$15,0002

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.