Uber Updates ‘Bug Bounty’ Payments Policy

Uber

Uber is changing its policy on bug bounties, payments to people who expose data security problems, Reuters reported on Thursday (April 26).

“We’re clarifying the difference between researchers that act in good faith and people who don’t,” Uber Chief Information Security Officer John Flynn told the newswire. “We’re doing a better job about being explicit about what those things are, because it’s important these programs have high integrity.”

The ridesharing company came under scrutiny for paying a 20-year-old hacker who had stolen 57 million user credentials — names, email addresses and phone numbers — in a 2016 data breach. Knowledge of the hack came to Uber via an anonymous email demanding payment, and the company paid the person to destroy the data. The company was accused of attempting to cover up the data breach rather than simply trying to identify and plug data problems with a payment, known as a bug bounty. Uber didn’t reveal it had suffered the 2016 breach until this past November.

One of the changes Uber is making is testing a bounty program that will allow researchers to donate their bounties to charity, with the company matching the contribution. The company is revising its policy to specify it won’t pursue legal action against good-faith hackers who submit flaws through its bug bounty portal, which is hosted by HackerOne. Reuters also reported that Uber will provide support to those who may face litigation from others as a result of a bug submission.

“An unfortunate reaction to all this was the doubt cast by some people on whether companies should run bug bounty programs at all,” Uber’s Flynn told Reuters.

Uber apologized for how it handled the breach months after Dara Khosrowshahi took over as CEO for ousted Co-Founder Travis Kalanick. Additionally, Uber fired Chief Security Officer Joe Sullivan and an attorney.