Uber Tightens Bug Bounty Extortion Policies

Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion.

The ride-sharing company has updated its program to include clarity around the boundaries between research versus blackmail. The changes come after a 2016 incident in which Uber paid out a ransom to hackers who stole millions of user credentials – it said at the time that the payment was part of its bug-bounty program, which it operates under HackerOne to reward white-hats that catch security vulnerabilities in its platform.

“The new terms provide more specific guidance on what good-faith vulnerability research looks like, and what type of conduct falls outside that,” said Uber’s Lindsey Glovin, security analyst for product security, and Rob Fletcher, product security engineering manager at the company, in a post. “We’ve also added specific instructions on what to do if a researcher comes in contact with user data while researching vulnerabilities.”

Uber didn’t disclose the breach – which impacted 57 million global users – for about a year, finally notifying impacted customers only last November. Uber initially did not notify federal authorities about the breach either.

In a congressional hearing in February, Uber CISO John Flynn confirmed that a 20-year-old man behind the breach was paid by Uber to destroy the data through its bug-bounty program.  The man and his partner had contacted Uber on Nov. 14, 2016, to demand a six-figure payment, according to Flynn.

Flynn said that Uber’s security team had contacted the hackers to ensure they destroyed the data before paying them $100,000.

With the updates, Uber’s HackerOne bug bounty policies more thoroughly outline “good-faith vulnerability research and disclosure,” and contain language defining what constitutes unacceptable behavior, stating that the company wants researchers “to hunt for bugs, not user data.”

One newly outlined policy makes it clear that Uber won’t take legal action against researchers – as long as they report vulnerabilities with no strings attached. “You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached,” the policy said.

“Uber has simplified the language of their disclosure policies, which is not common – a lot of companies use complicated policies,” said Amit Elazari, an expert in the policies and legalese surrounding bug bounty programs, speaking to Threatpost. “They also made sure all their terms were in one place.”

Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report. “This will allow us to quickly and thoroughly test issues once they are resolved, and run the PoC again down the line to ensure there have not been regressions,” said Glovin.

Uber’s bug-bounty program started more than two years ago, and touts an all-time total payout of more than $1.4 million.

“In this case with Uber, the additional clarifications around what is considered good faith will go a long way toward allowing Uber and the hackers to work together safely and within the parameters of the program,” Koby Kilimnik, security researcher with Imperva, told Threatpost.

He added, “It’s always a good thing when the white hats are no longer afraid of wrongful prosecution from the responsible disclosure of bugs. From an Uber perspective, the updated bug bounty program provides a better way to track the attempts to find bugs on their site, sift through their logs and find bad actors more easily without confusing the two.”

Bug Bounty Growing Pains

Uber’s 2016 breach revealed the growing pains that many bug-bounty programs are going through. Many companies are launching programs that highlight massive payouts – as opposed to highlighting the actual protection of consumer data.

Katie Moussouris, CEO of Luta Security, said that worryingly, many companies use bug bounties only for finding vulnerabilities in the moment, while they should be shaping program policies that improve their actual overall security strategies.

“We’re in a period of accelerated growth and adoption when it comes to bug bounties… but I’m worried that we’re missing the point when it comes to securing everything,” she said during a panel discussion at the RSA Conference last week. “We don’t want trendy bug bounties replacing basic security self-care.”

Other companies have stumbled over unanticipated issues around their bug-bounty programs that escalate tensions with researchers. For instance, in November 2017, DJI threatened to sue a security researcher after he found vulnerabilities in the company’s code and reported them through its bug bounty program. The researcher subsequently went public with DJI’s attempts to threaten him.

Another issue is that many companies lack legal “safe-harbor” language that allow hackers to compete among themselves to find security vulnerabilities. This means that the terms of the bug bounty are in line with the Department of Justice framework, so bug hunters aren’t in legal harm’s way.

Elazari said that only four companies include perfect safe-harbor policy terms, and Uber, for its part, has adopted a partial safe harbor with its new policies. “It’s not perfect but it’s a step forward,” she said.