Uber to update ‘bug bounty’ policies after 2016 data breach


(Reuters) — Uber Technologies Inc. on Thursday plans to announce changes to how it rewards cyber researchers who report flaws in its software, a company executive told Reuters, as part of the ride-hailing firm’s response to concerns raised about the way it handled a data breach in 2016.

Among the changes to Uber’s so-called bug bounty program are new terms that more clearly define what Uber does and does not consider “good faith” vulnerability research, John Flynn, the company’s chief information security officer, said in an interview.

“We’re clarifying the difference between researchers that act in good faith and people who don’t,” Mr. Flynn said. “We’re doing a better job about being explicit about what those things are, because it’s important these programs have high integrity.”

Uber will also update its policies to specifically state that it will not pursue or recommend legal action against good-faith hackers who submit flaws through its “bug bounty” portal. It will provide support to those who may face litigation from others as a result of a bug submission.

The changes are the first made to Uber’s bug bounty platform since the company revealed last November the 2016 data breach of 57 million user credentials, including names, phone numbers and email addresses.

Reuters reported in December that a 20-year-old man was primarily behind the breach, and that he was paid by Uber to destroy the data through the bounty platform after receiving an email from anonymous person demanding money in exchange for user data.

The large size of the payment and Uber’s use of the bounty system led some security researchers to criticize the company and suggest it had sought to conceal a criminal breach.

“An unfortunate reaction to all this was the doubt cast by some people on whether companies should run bug bounty programs at all,” Mr. Flynn said.

Uber apologized for how it handled the breach months after new CEO Dara Khosrowshahi was installed following founder Travis Kalanick’s ouster. The company fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark.

As part of the changes, Uber will test an option allowing researchers to donate their bounties to charity, which the company will match. The company will also update its submission form to include a question that asks whether personal consumer information may be exposed through the discovered flaw.

Mr. Flynn said the added question is intended to more quickly trigger review internally as to whether regulators may need to be notified, a change intended to avoid repeating mistakes made during its response to the 2016 breach. A European data privacy law taking effect next month will require companies to disclose within 72 hours whether user data has been compromised.

Marten Mickos, CEO of HackerOne, which hosts Uber’s bug bounty program and provided input on its updates, welcomed the changes but said they alone would not guarantee Uber would avoid its previous mistakes.

“It’s not the main thing that was missing in 2016,” Mr. Mickos said. “The main failure in 2016 was not notifying the authorities.”

Legal warning !
The information, comments and suggestions there are not covered by investment advice. It is based on the author's personal opinions. These views may not fit your financial situation and risk and return preferences. For this reason, based solely on this information, investment decisions may not have the appropriate consequences for your expectation. Our Site is not responsible for any direct or indirect damages incurred by the investors as a result of the use of the information on the Site, deficiencies in the sources, damages incurred by profit, moral damages, or damage to third parties.