Uber Accused of Skipping Out of Paying Bug Bounties

With all the apps and systems that are used, created and updated every day it is often impossible for you to be absolutely certain about their security. This resulted in the creation of external help through schemes like bug bounties unless your Uber who change the scope of what bug bounties they’ll be paying.

Bug bounty schemes are simple. If you find a problem in the code or system that a company uses, you report it to the company running the scheme and if they find it was a problem, you get paid. Even Microsoft and GitHub run schemes to help narrow down and find problems with their software. The issue comes here is that only this week popular taxi alternative app Uber launched its own bug bounty scheme.

Sean Melia found a few issues or rather a few admin panels/ports that were open. This fell in line with what Uber wanted under the grouping of “publicly accessible login panels” and “exposed administration ports (excluding OneLogin)”. After reporting the first issue which was quickly accepted as a bug, Melia went about finding others resulting in the large group he ended up reporting. The problem was that by this time Uber had updated their documentation to make these reports invalid, without informing people using the scheme. Free security support anyone?

The reason for the change? Ubers security engineering manager, Collin Greene, has stated they changed the rules so that they stopped researchers wasting their time on minor bugs. Greene then stated that “a successful bug bounty rests on researchers trusting us to run it well, which we take very seriously”, something that may not go down so well when you are willing to change the goalposts without telling people.

Was Uber right in this case? Should they have acted differently? A problems a problem, even with a lesser payment, should Melia have received something given that he did the work under the old rules?

Amazon’s Mysterious Big Box is Out Again

Remember early this year when people started seeing massive Amazon packages in parts of the US (like the one above)?

Well now they’re back, except not for promotional purposes this time. According to Re/code they’re part of a new programme the company will be unveiling next week.

“We’re excited to be making 15 special deliveries next week as part of the holiday season,”

While the previous boxes contained Nissan cars, these boxes appear to be a bit smaller, albeit still requiring a truck, so it’s intriguing as to what this could be for.

As Amazon says, there are 15 dotted around the US, so if any of you see one, send us a link to your picture in the comments.

Source: Re/code