The first vulnerability I found for Uber’s bug bounty was a reflected XSS in
getrush.uber.com. It was caused by Uber not escaping the
utm_source parameters at
getrush.uber.com/business. It could be exploited by injecting
</script><script>alert(0)</script> into any of those parameters.
I reported this to Uber on March 22nd, it was triaged the same day, and patched on the 23rd. A 3000 dollar bounty was awarded on April 6th. You can see the original report (including a few markdown errors…) here.