As bits of information about the Uber data breach have trickled out, including the purported payment through a bug bounty program, I have been concerned about the implications on legitimate corporate bug bounty programs. My concerns grew when I read the New York Times article, Inside Uber’s $100,000 Payment to a Hacker, and the Fallout.
The February 6, 2018, testimony by John Flynn, Uber’s Chief Information Security Officer, makes me feel better because it finally made clear (to me, anyway) that this was not a legitimate bug bounty program situation (see full written testimony):
As you know, Uber paid the intruders $100,000 through HackerOne and our bug bounty program. Our primary goal in paying the intruders was to protect our consumers’ data. This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.
We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company. The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed. While the use of the bug bounty program assisted in the effort to gain attribution and, ultimately, assurances that our users’ data were secure, at the end of the day, these intruders were fundamentally different from legitimate bug bounty recipients.
When dealing with something like this, in the world of data breach reporting and notification, details, motive, and the order of events matter. It appears that Uber attempted to take an existing incident (that was likely a data breach requiring reporting and notification) and mitigate it by running it through its bug bounty program in an effort to de-breach it, so to speak. While this was a creative approach and one that could raise issues about other mitigation efforts that companies may try for dealing with incidents, such discussions are beyond the scope of this post.
What is important, to me anyway, is that this was not a legitimate use of Uber’s bug bounty program that is now being second-guessed. I think that should help corporate security and legal professionals sleep a little better.
In Flynn’s testimony, he does an excellent job of explaining bug bounty programs and, specifically, Uber’s bug bounty program and the success it has had since implementation. He also explains Uber’s incident response process in this particular situation and offers insight into just how quickly an IR team must act — something everyone should understand. I strongly encourage anyone interested to read his full testimony.
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.