Uber

Looking to submit vulnerabilities to this program?

Reports to this program can be sent via HackerOne.

194 total issues disclosed

$364,450 total paid publicly

Most disclosed (33 disclosures) — Improper Authentication - Generic

Disclosed Reports

Report Title	Vulnerability Type	Disclosed By	Severity	Disclosed on
Publicly exposed HashiCorp Vault (Secrets management) at usec-gcp-staging.uberinternal.com & usec-gcp.uberinternal.com	None supplied	ayoubfathi_	No rating	2021-08-27
Chain of vulnerabilities in Uber for Business Vouchers program allows for attacker to perform arbitrary charges to victim's U4B payment account	Insecure Direct Object Reference (IDOR)	pmnh	High	2021-08-12
CVE-2020-3452 - unauthenticated file read on anyconnect.routematch.com	Path Traversal	0xprial	Medium	2021-08-05
pam_ussh does not properly validate the SSH certificate authority	Improper Authentication - Generic	penguinsaretasty	Medium	2021-07-21
API on campus-vtc.com allows access to ~100 Uber users full names, email addresses and telephone numbers.	Information Disclosure	healdb	High	2021-07-08
IDOR leads to See analytics of Loyalty Program in any restaurant.	Insecure Direct Object Reference (IDOR)	0xprial	Medium	2021-05-28
private passenger information is exposed to the Uber Driver app during ride dispatch ("Ping") events	Information Disclosure	beezlewaxin	Medium	2021-05-14
Unrestricted File Upload Results in Cross-Site Scripting Attacks	Cross-site Scripting (XSS) - Stored	hunt4p1zza	Medium	2021-05-14
Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees	Privilege Escalation	bubbounty	Medium	2021-05-14
IDOR leads to leak analytics of any restaurant	Insecure Direct Object Reference (IDOR)	0xprial	Medium	2021-04-29
Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser	Information Disclosure	m4ll0k	Critical	2021-03-29
Reflected XSS on https://www.uber.com	None supplied	samux	High	2021-03-15
Open AWS S3 bucket at ubergreece.s3.amazonaws.com exposes confidential internal documents and files	Information Disclosure	healdb	Low	2021-03-12
Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system.	Improper Access Control - Generic	healdb	Low	2021-03-06
[Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo	Insecure Storage of Sensitive Information	tomnomnom	Critical	2021-02-25
[First 30] Stored XSS on login.uber.com/oauth/v2/authorize via redirect_uri parameter	Cross-site Scripting (XSS) - Stored	corb3nik	High	2021-02-25
Pre-auth Remote Code Execution on multiple Uber SSL VPN servers	Command Injection - Generic	orange	Critical	2021-02-24
[manage.jumpbikes.com] Blind XSS on Jump admin panel via user name	Cross-site Scripting (XSS) - Stored	cablej	Critical	2021-02-23
duplicate hsts headers lead to firefox ignoring hsts on business.uber.com	None supplied	redshark1802	Low	2020-04-30
Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg	Cleartext Transmission of Sensitive Information	healdb	High	2020-04-30
Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg	Cleartext Transmission of Sensitive Information	healdb	High	2020-04-30
Reflected XSS and sensitive data exposure, including payment details, on lioncityrentals.com.sg	Cleartext Transmission of Sensitive Information	healdb	High	2020-04-30
ubernycmarketplace.com is vulnerable to the Heartbleed Bug	Information Disclosure	healdb	Low	2020-04-23
Full Path and internal information disclosure+ SQLNet.log file disclose internal network information	None supplied	peroni	Low	2020-04-23
Change the rating of any trip, therefore change the average driver rating	Business Logic Errors	overjt	Medium	2020-04-06
Subdomain takeover on mta1a1.spmail.uber.com	Improper Access Control - Generic	0x3c3e	Medium	2020-04-06
Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter	Information Disclosure	appsecure_in	High	2019-09-09
Sensitive user information disclosure at bonjour.uber.com/marketplace/_rpc via the 'userUuid' parameter	Information Disclosure	appsecure_in	High	2019-09-09
Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance	Business Logic Errors	eequalsmc2	Medium	2019-07-18
Client secret, server tokens for developer applications returned by internal API	Information Disclosure	appsecure_in	No rating	2019-02-08
Chained Bugs to Leak Victim's Uber's FB Oauth Token	Improper Authentication - Generic	ngalog	High	2019-01-25
Open Redirect on central.uber.com allows for account takeover	Improper Authentication - Generic	ngalog	High	2019-01-25
Stored XSS on any page in most Uber domains	Cross-site Scripting (XSS) - Stored	mdv	High	2018-11-20
Reflected XSS on multiple uberinternal.com domains	Cross-site Scripting (XSS) - Reflected	fady_othman	Medium	2018-11-13
Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/	Cross-site Scripting (XSS) - Reflected	fady_othman	Medium	2018-11-13
Privacy policy contains hardcoded link using unencrypted HTTP	Code Injection	nightwatch-cybersecurity	Low	2018-11-13
Possibility to inject a malicious JavaScript code in any file on tags.tiqcdn.com results in a stored XSS on any page in most Uber domains	Cross-site Scripting (XSS) - Stored	mdv	High	2018-11-13
Open redirect on rush.uber.com, business.uber.com, and help.uber.com	Open Redirect	4lemon	Low	2018-11-13
SMS/Call spamming due to truncated phone number	Improper Authentication - Generic	indcyberjoker	Low	2018-11-13
Delay of arrears notification allows Riders to take multiple rides without paying	Business Logic Errors	djangohack	None	2018-11-13
No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts	Improper Authentication - Generic	cablej	Medium	2018-11-13
Hack The World 2017 Top 2 Bonus	None supplied	nullelite	No rating	2018-11-13
XSS on partners.uber.com due to no user input sanitisation	Cross-site Scripting (XSS) - Generic	0x0luke	Low	2018-10-04
Reflected XSS on Partners Subdomain	None supplied	mefkan	High	2018-09-16
Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password	None supplied	peuch	Medium	2018-08-27
Information Leak - GitHub - Endpoint Configuration Details	Information Disclosure	peuch	Medium	2018-08-27
Improper Access Control on Onelogin in multi-layered architecture	Improper Access Control - Generic	orange	No rating	2018-08-08
Design Issue at riders.uber.com/profile	Business Logic Errors	ss3	None	2017-12-28
muber-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint	Cross-site Scripting (XSS) - Reflected	gregoryvperry	Critical	2017-12-26
lite:sess Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint	Cross-site Scripting (XSS) - Reflected	gregoryvperry	Critical	2017-12-26
udi-id Query Parameter Can Generate SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint	Cross-site Scripting (XSS) - Reflected	gregoryvperry	Critical	2017-12-26
SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint	Cross-site Scripting (XSS) - Reflected	gregoryvperry	Critical	2017-12-26
SSL-protected Reflected XSS in m.uber.com	Cross-site Scripting (XSS) - Reflected	gregoryvperry	Critical	2017-12-26
Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication	Improper Authentication - Generic	gregoryvperry	Medium	2017-12-26
It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without	Improper Authentication - Generic	gregoryvperry	Medium	2017-12-26
SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint	Cross-site Scripting (XSS) - Reflected	gregoryvperry	Critical	2017-12-26
The Uber Promo Customer Endpoint Does Not Implement Multifactor Authentication, Blacklisting or Rate Limiting	Brute Force	gregoryvperry	High	2017-12-24
The Microsoft Store Uber App Does Not Implement Server-side Token Revocation	Insufficient Session Expiration	gregoryvperry	Medium	2017-12-24
The Microsoft Store Uber App Does Not Implement Certificate Pinning	Improper Certificate Validation	gregoryvperry	Critical	2017-12-24
SAML Authentication Bypass on uchat.uberinternal.com	Improper Authentication - Generic	mishre	High	2017-09-05
Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com	Improper Authentication - Generic	arneswinnen	Critical	2017-07-13
deleting payment profile during active trip puts account into arrears but active trip is temporarily “free”	Business Logic Errors	temmyscript	None	2017-06-28
phone number exposure for riders/drivers given email/uuid	Information Exposure Through an Error Message	vijay_kumar	Medium	2017-06-02
Session not expired When logout [partners.uber.com]	None supplied	hurthearts	None	2017-05-27
password reset token leaking allowed for ATO of an Uber account	Improper Authentication - Generic	procode701	Critical	2017-05-17
ability to retrieve a user's phone-number/email for a given inviteCode	Information Disclosure	kushal89shah	No rating	2017-05-17
SQL injection in 3rd party software Anomali	SQL Injection	kazan71p	High	2017-03-21
pam-ussh may be tricked into using another logged in user's ssh-agent	Improper Authentication - Generic	solardiz	Medium	2017-03-20
Authorization issue in Google G Suite allows DoS through HTTP redirect	Denial of Service	rijalrojan	High	2017-02-09
Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront	Privilege Escalation	fransrosen	No rating	2016-12-13
Users can falsely declare their own Uber account info on the monthly billing application	Improper Authentication - Generic	rubyroobs	No rating	2016-10-20
Stealing users password (Limited Scenario)	Violation of Secure Design Principles	geekboy	No rating	2016-09-29
Open Redirect in m.uber.com	None supplied	bobrov	No rating	2016-09-27
Attacker could setup reminder remotely using brute force	Cross-Site Request Forgery (CSRF)	cymtrick	No rating	2016-09-19
text injection in get.uber.com/check-otp	None supplied	gopinath6	No rating	2016-09-16
Changing paymentProfileUuid when booking a trip allows free rides	Cross-Site Request Forgery (CSRF)	temmyscript	No rating	2016-09-15
Reading Emails in Uber Subdomains	Improper Authentication - Generic	rijalrojan	No rating	2016-09-14
Bulk UUID enumeration via invite codes	Information Disclosure	vijay_kumar	No rating	2016-09-08
Get organization info base on uuid	Improper Authentication - Generic	severus	No rating	2016-09-02
Estimation of a Lower Bound on Number of Uber Drivers via Enumeration	Information Disclosure	ddworken	No rating	2016-08-24
Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains	Improper Authentication - Generic	vivek-p	No rating	2016-08-24
Multiple vulnerabilities in a WordPress plugin at drive.uber.com	SQL Injection	0xsyndr0me	No rating	2016-08-23
newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf	Code Injection	jamesclyde	No rating	2016-08-22
XSS At "pages.et.uber.com"	Cross-site Scripting (XSS) - Generic	raghav_bisht	No rating	2016-08-19
[IODR] Get business trip via organization id	Improper Authentication - Generic	severus	No rating	2016-08-15
Missing authorization checks leading to the exposure of ubernihao.com administrator accounts	Information Disclosure	issam_rabhi	No rating	2016-08-15
[CRITICAL] -- Complete Account Takeover	Improper Authentication - Generic	parth	No rating	2016-08-15
User Enumeration and Information Disclosure	Information Disclosure	pl_bounty	No rating	2016-08-12
Brute Force Amplification Attack	Violation of Secure Design Principles	enmach	No rating	2016-08-12
Content injection on 404 error page at faspex.uber.com	Violation of Secure Design Principles	ak1t4	No rating	2016-08-12
CBC "cut and paste" attack may cause Open Redirect(even XSS)	Cryptographic Issues - Generic	orange	No rating	2016-08-12
Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers	Information Disclosure	ddworken	No rating	2016-08-12
Stored XSS on developer.uber.com via admin account compromise	Cross-site Scripting (XSS) - Generic	albinowax	No rating	2016-08-12
Avoiding Surge Pricing	Violation of Secure Design Principles	nikhil_patil	No rating	2016-08-11
Blind OOB XXE At "http://ubermovement.com/"	Command Injection - Generic	raghav_bisht	No rating	2016-08-08
Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin	Cross-site Scripting (XSS) - Generic	jouko	No rating	2016-07-27
XSS in people.uber.com	Cross-site Scripting (XSS) - Generic	thezawad	No rating	2016-07-26
Bruteforce INVITE codes easy way	Violation of Secure Design Principles	blinkms	No rating	2016-07-26
Brute-Forcing invite codes in partners.uber.com	Violation of Secure Design Principles	mefkan	No rating	2016-07-26
reopen #128853 (Information disclosure at lite.uber.com)	Information Disclosure	kusl	No rating	2016-07-26
Missing authentication on Notification setting .	Improper Authentication - Generic	vijay_kumar	No rating	2016-07-26
Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate `fast-rating` Endpoint	Improper Authentication - Generic	ddworken	No rating	2016-07-26
Self-XSS on partners.uber.com	Cross-site Scripting (XSS) - Generic	cyber__sec	No rating	2016-07-26
XSS via password recovering	Cross-site Scripting (XSS) - Generic	codequick	No rating	2016-07-26
Defect-Security \| Driver-Broken Authentication \| Able to update the Subscription Setting anonymously	Improper Authentication - Generic	punkit	No rating	2016-07-26
User credentials are not strong on vault.uber.com	Improper Authentication - Generic	bugs3ra	No rating	2016-07-26
XSS in uber oauth	Cross-site Scripting (XSS) - Generic	zombiehelp54	No rating	2016-07-26
Can add employee in business.uber.com without add payment method	Improper Authentication - Generic	severus	No rating	2016-07-26
Text Only Content Spoofing on ubermovement.com Community Page	Violation of Secure Design Principles	vivek-p	No rating	2016-07-26
Requested and received edit access to Google form	Information Disclosure	siddiki	No rating	2016-07-26
Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com	Privilege Escalation	rojansec	No rating	2016-07-26
Uber is Flooding my Mobile with SMS Daily like a cron JOB	Violation of Secure Design Principles	anish2good	No rating	2016-07-26
xss in https://www.uber.com	Cross-site Scripting (XSS) - Generic	netfuzzer	No rating	2016-07-25
SQL Injection on sctrack.email.uber.com.cn	SQL Injection	orange	No rating	2016-07-25
xss vulnerability in http://ubermovement.com/community/daniel	Cross-site Scripting (XSS) - Generic	netfuzzer	No rating	2016-07-21
OneLogin authentication bypass on WordPress sites via XMLRPC	Code Injection	jouko	No rating	2016-07-16
Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)	Improper Authentication - Generic	mongo	No rating	2016-07-14
Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites	Information Disclosure	jutsuce	No rating	2016-07-13
Information regarding trips from other users	Information Disclosure	maluko	No rating	2016-07-12
Stored self-XSS at m.uber.com	Cross-site Scripting (XSS) - Generic	skavans	No rating	2016-07-09
Newsroom.uber HTML form without CSRF protection	Cross-Site Request Forgery (CSRF)	mefkan	No rating	2016-07-08
Error Message on 404 page	None supplied	top	No rating	2016-07-08
Email Enumeration Vulnerability	None supplied	hussein98d	No rating	2016-07-08
Self-XSS in Partners Profile	Cross-site Scripting (XSS) - Generic	s0nk3y	No rating	2016-07-08
Phone Number Enumeration	Information Disclosure	megocode3	No rating	2016-07-08
Server version disclosure: team.uberinternal.com	Information Disclosure	benoculars	No rating	2016-07-08
Command Injection, Information	Command Injection - Generic	khiladibayal	No rating	2016-07-08
faspex.uber.com uses an invalid SSL certificate	Cryptographic Issues - Generic	ddworken	No rating	2016-07-08
Authentication Issue for easter egg on bonjour.uber.com	Improper Authentication - Generic	ddworken	No rating	2016-07-08
Server version disclosure	Information Disclosure	japz	No rating	2016-07-08
Email Address Enumeration	Violation of Secure Design Principles	mefkan	No rating	2016-07-08
Header Injection	Denial of Service	mangotango	No rating	2016-07-08
Clickjacking in love.uber.com	Violation of Secure Design Principles	mangotango	No rating	2016-07-08
Information Disclosure on lite.uber.com	Information Disclosure	kusl	No rating	2016-07-08
Stored XSS in developer.uber.com	Cross-site Scripting (XSS) - Generic	albinowax	No rating	2016-06-27
Possibility to get private email using UUID	Information Disclosure	shmoo	No rating	2016-06-15
Unauthorized file (invoice) download	Improper Authentication - Generic	ninad	No rating	2016-06-15
Use Partner/Driver App Without Being Activated	Improper Authentication - Generic	shmoo	No rating	2016-06-14
SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/	SQL Injection	glc	No rating	2016-06-14
Possible to View Driver Waybill via Driver UUID	Information Disclosure	shmoo	No rating	2016-06-14
Unsubscribe any user from receiving email	Violation of Secure Design Principles	ashish_r_padelkar	No rating	2016-06-14
developer.uber.com/404 and developer.uber.com/docs/404 are susceptible to iframes	None supplied	jreynoldsdev	No rating	2016-06-14
Disclosure of ways to the site root	Information Disclosure	cyberunit	No rating	2016-06-14
Information disclosure at lite.uber.com	Information Disclosure	kusl	No rating	2016-06-14
Multiple Vulnerabilities (Including SQLi) in love.uber.com	None supplied	siddiki	No rating	2016-06-14
Easy spam with USE My PHONE Feature	Memory Corruption - Generic	decoder	No rating	2016-06-14
Session Impersonation in riders.uber.com	Improper Authentication - Generic	durga	No rating	2016-06-14
Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers	Information Disclosure	ddworken	No rating	2016-06-14
Disclosure of ip addresses in local network of uber	Information Disclosure	iad	No rating	2016-06-14
SMS Flood with Update Profile	Denial of Service	anish2good	No rating	2016-06-14
Changing Driver Passwords With Only an Authenticated Session (no password, no email)	Violation of Secure Design Principles	ddworken	No rating	2016-06-14
Uploading Plain Text to uber-documents.s3.amazonaws.com Through the Driver Document Upload Page	Violation of Secure Design Principles	ddworken	No rating	2016-06-14
Uber password reset link EMAIL FLOOD	Denial of Service	anish2good	No rating	2016-06-14
Privilege escalation to allow non activated users to login and use uber partner ios app	Privilege Escalation	mini	No rating	2016-06-14
Possibility to brute force invite codes in riders.uber.com	Violation of Secure Design Principles	r0t	No rating	2016-06-14
Stored Cross Site Scripting [SELF] in partners.uber.com	Cross-site Scripting (XSS) - Generic	patrik	No rating	2016-06-14
Create account in uber without signup form	Improper Authentication - Generic	blueberryinfosec	No rating	2016-06-13
Self-XSS Vulnerability on Password Reset Form	Cross-site Scripting (XSS) - Generic	bhavi	No rating	2016-06-13
Active Email Hyperlink Sent on riders.uber.com	Violation of Secure Design Principles	rohk	No rating	2016-06-13
Enumerating userIDs with phone numbers	Information Disclosure	r0t1v	No rating	2016-06-11
Password Reset Does Not Confirm the Existence of an Email Address	Improper Authentication - Generic	err	No rating	2016-06-08
Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com)	Privilege Escalation	jouko	No rating	2016-06-06
OneLogin authentication bypass on WordPress sites	Improper Authentication - Generic	jouko	No rating	2016-06-06
Bypassing Uber Partner's 3 Cancel Limit	Command Injection - Generic	razeeb	No rating	2016-05-27
DOM based XSS on	Code Injection	blackzero	No rating	2016-05-26
Issue with Password reset functionality	Improper Authentication - Generic	ninad	No rating	2016-05-23
Stored XSS in drive.uber.com WordPress admin panel	Cross-site Scripting (XSS) - Generic	jouko	No rating	2016-05-14
Drivers can change profile picture	Improper Authentication - Generic	rohk	No rating	2016-05-12
CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to ```backup.uber.com```	None supplied	ddworken	No rating	2016-05-10
CRLF Injection in developer.uber.com	None supplied	kirit1193	No rating	2016-05-10
Session retention is present which reveals the customer info	Improper Authentication - Generic	blueberryinfosec	No rating	2016-05-10
XSS on love.uber.com	Cross-site Scripting (XSS) - Generic	iad	No rating	2016-05-10
Reflected XSS via Livefyre Media Wall in newsroom.uber.com	Cross-site Scripting (XSS) - Generic	mdv	No rating	2016-05-10
Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0)	Cross-site Scripting (XSS) - Generic	ddworken	No rating	2016-05-10
Reflected XSS via Unvalidated / Open Redirect in uber.com	None supplied	mdv	No rating	2016-05-10
Dom Based Xss	Cross-site Scripting (XSS) - Generic	e3xpl0it	No rating	2016-05-10
Mass Assignment Vulnerability in partners.uber.com	Code Injection	rohk	No rating	2016-05-10
XSS @ love.uber.com	Cross-site Scripting (XSS) - Generic	siddiki	No rating	2016-05-07
Cross-site Scripting (XSS)	Cross-site Scripting (XSS) - Generic	djadmin	No rating	2016-05-07
CSRF on eng.uber.com may lead to server-side compromise	Cross-Site Request Forgery (CSRF)	jouko	No rating	2016-04-26
SQLi in love.uber.com	SQL Injection	iad	No rating	2016-04-25
Pixel flood attack in https://riders.uber.com/profile	Denial of Service	pwder	No rating	2016-04-25
It is possible to re-rate a driver after a very long time	Violation of Secure Design Principles	mohaab007	No rating	2016-04-25
Open Redirection on Uber.com	Open Redirect	rohk	No rating	2016-04-23
XSS In archive.uber.com Due to Mime Sniffing in IE	Cross-site Scripting (XSS) - Generic	ddworken	No rating	2016-04-06
CSV Injection in business.uber.com	Information Disclosure	ddworken	No rating	2016-04-06
uber.com may RCE by Flask Jinja2 Template Injection	Code Injection	orange	No rating	2016-04-06
HTML Escaping Error in the 404 Page on developer.uber.com/docs/	Cross-site Scripting (XSS) - Generic	ddworken	No rating	2016-04-06
XSS in getrush.uber.com	Cross-site Scripting (XSS) - Generic	ddworken	No rating	2016-04-06
Reflected XSS on Uber.com careers	Cross-site Scripting (XSS) - Generic	pavanw3b	No rating	2016-04-06
Reflected XSS on developer.uber.com via Angular template injection	Cross-site Scripting (XSS) - Generic	albinowax	No rating	2016-04-05
XSS on partners.uber.com	Cross-site Scripting (XSS) - Generic	redshark1802	No rating	2016-03-24
LIsting of http://archive.uber.com/pypi/simple/	Information Disclosure	gopinath6	No rating	2016-03-24
Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/	Cross-site Scripting (XSS) - Generic	exodia_forbidden_one	No rating	2016-03-24

BugBountyHunter

Uber

Disclosed Reports