Uber to update 'bug bounty' policies after 2016 data
breach: executive
Send a link to a friend
 [April 26, 2018]
By Dustin Volz
SAN FRANCISCO (Reuters) - Uber on Thursday
plans to announce changes to how it rewards cyber researchers who report
flaws in its software, a company executive told Reuters, as part of the
ride-hailing firm's response to concerns raised about the way it handled
a data breach in 2016.
Among the changes to Uber Technologies Inc's [UBER.UL] so-called bug
bounty program are new terms that more clearly define what Uber does and
does not consider "good faith" vulnerability research, John Flynn, the
company's chief information security officer, said in an interview.
"We're clarifying the difference between researchers that act in good
faith and people who don't," Flynn said. "We're doing a better job about
being explicit about what those things are, because it's important these
programs have high integrity."
Uber will also update its policies to specifically state that it will
not pursue or recommend legal action against good-faith hackers who
submit flaws through its "bug bounty" portal. It will provide support to
those who may face litigation from others as a result of a bug
submission.
The changes are the first made to Uber's bug bounty platform since the
company revealed last November the 2016 data breach of 57 million user
credentials, including names, phone numbers and email addresses.
Reuters reported in December that a 20-year-old man was primarily behind
the breach, and that he was paid by Uber to destroy the data through the
bounty platform after receiving an email from anonymous person demanding
money in exchange for user data.
The large size of the payment and Uber's use of the bounty system led
some security researchers to criticize the company and suggest it had
sought to conceal a criminal breach.
[to top of second column] |
The Uber logo is seen on a screen in Singapore August 4, 2017.
REUTERS/Thomas White/File Picture
"An unfortunate reaction to all this was the doubt cast by some people on
whether companies should run bug bounty programs at all," Flynn said.
Uber apologized for how it handled the breach months after new Chief Executive
Dara Khosrowshahi was installed following founder Travis Kalanick's ouster. The
company fired its chief security officer, Joe Sullivan, and a deputy, attorney
Craig Clark.
As part of the changes, Uber will test an option allowing researchers to donate
their bounties to charity, which the company will match. The company will also
update its submission form to include a question that asks whether personal
consumer information may be exposed through the discovered flaw.
Flynn said the added question is intended to more quickly trigger review
internally as to whether regulators may need to be notified, a change intended
to avoid repeating mistakes made during its response to the 2016 breach. A
European data privacy law taking effect next month will require companies to
disclose within 72 hours whether user data has been compromised.
Marten Mickos, the chief executive of HackerOne, which hosts Uber's bug bounty
program and provided input on its updates, welcomed the changes but said they
alone would not guarantee Uber would avoid its previous mistakes.
"It's not the main thing that was missing in 2016," said HackerOne Chief
Executive Marten Mickos. "The main failure in 2016 was not notifying the
authorities."
(Reporting by Dustin Volz; editing by Grant McCool)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
