The first vulnerability I found for Uber's bug bounty was a reflected XSS in ``````. It was caused by Uber not escaping the ```utm_campaign```, ```utm_medium```, and ```utm_source``` parameters at ``````. It could be exploited by injecting `````` into any of those parameters. I reported this to Uber on March 22nd, it was triaged the same day, and patched on the 23rd. A 3000 dollar bounty was awarded on April 6th. You can see the original report (including a few markdown errors...) [here](