What’s in a bug bounty? Not extortion
Uber executives paid a high price this month for hiding a hack that exposed the personal information of 57 million customers. They concealed the massive hack for more than a year by authorizing a $100,000 payout via Uber’s HackerOne bug bounty platform to the hackers, one of whom is reportedly a 20-year-old man in Florida.
Those decisions could affect far more than just Uber users, drivers, and the company.
Uber’s new CEO, Dara Khosrowshahi, revealed on November 21 that the breach, which included 600,000 driver records, had occurred in 2016. He acknowledged that the company paid the hackers to delete the data they stole when they hacked Uber’s systems—and forced them to sign nondisclosure agreements.
The news surprised some industry observers because Uber has a large security team. Khosrowshahi fired Joe Sullivan, the company’s chief security officer and former federal prosecutor, and Craig Clark, the legal director of security and law enforcement at Uber, saying they should have disclosed the hack to authorities. And an Uber representative confirmed the resignation of Pooja Ashok, Sullivan’s chief of staff, following his ouster from the company. Several other of Sullivan’s direct reports have changed jobs within Uber, left the company for unrelated reasons, or gone on medical leave.
READ MORE ON BUG BOUNTIES AND VULNERABILITY DISCLOSURE
How to attack security issues like Google and Microsoft just did
At the heart of pacemaker hacking problems: Lack of coordination
Why Apple’s bug bounty is a big deal
Bug bounties break out beyond tech
The dark side of bug bounties
As bug bounties proliferate, hacking contests maintain strong pull
When to disclose a zero-day vulnerability
Survey says: Don’t start with a bug bounty
Representatives of Uber and HackerOne declined to comment for this story. The New York Attorney General’s office is investigating the incident, and Democrats on the Senate Commerce Committee have proposed a law that would criminally charge executives caught hiding breaches.
Companies have been using bug bounties since 1995 to protect hackers who want to legally conduct security research on computer code. Only in the past few years have tech titans and organizations beyond Silicon Valley, including government agencies, embraced them as a cost-effective way to engage with the security community and protect customers.
Bug bounties create a safe harbor for hackers to compete among themselves to find security vulnerabilities. In return for disclosing the vulnerabilities to the organizations responsible for patching them—and giving them adequate time to patch the vulnerabilities before their public reveal—organizations agree to pay hackers a one-time “bounty.” They also agree to not file criminal charges.
Without legal agreements associated with responsible vulnerability disclosures and bug bounty programs, security researchers could face prosecution under laws such as the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and the Electronic Communications Privacy Act.
Uber’s decision to hide the breach—and orchestrate a hacker payoff—through its bug bounty program exposes the company and the hacker to criminal and civil complaints, says Amit Elazari, a University of California at Berkeley Law doctoral candidate and expert in the legalese behind bug bounties. It also puts consumers at risk, she says.
“We might know that [extortion] is beyond the scope of a bug bounty, but the average consumer doesn’t.”—Amit Elezari, University of California at Berkeley Law doctoral candidate
What Uber did was “an abuse of the [HackerOne] platform. Not only is it not legal, it’s not even a bug bounty. You can’t just put a cover on it and think that you’re exempt under the law,” she says. “We might know that [extortion] is beyond the scope of a bug bounty, but the average consumer doesn’t.”
When corporations, governments, and even hackers blur the lines between extortion and responsible vulnerability disclosure, in which bug bounties and penetration tests play increasingly important roles, consumers are often left holding the bag. Such practices decrease trust in the involved parties, security experts say. They also can leave the involved products—from websites to myriad modern Internet-connected devices, often called the Internet of Things, and often connected to customer data—exposed to malicious hackers.
Uber’s attempt to disguise extortion within a bug bounty didn’t happen in a vacuum, says Katie Moussouris, CEO of Luta Security and a vulnerability disclosure expert who wrote Microsoft’s Coordinated Vulnerability Disclosure policy while employed there from 2007 to 2014. She notes a semi-independent researcher’s 2015 hack of Facebook’s Instagram going beyond the scope of the bug bounty; and Chinese drone maker DJI’s attempts in November to intimidate and threaten legal action against researchers who have found security vulnerabilities while legitimately participating in its bug bounty instead of paying them.
The DJI case she describes as a form of “virtue signaling,” actions to deceive consumers into thinking that one cares about vulnerability disclosure, she says. “Consumers have a right to know” when their data has been breached, and how safe a product or website is, she says.
“In the end, when the bug is fixed, not covered up, everybody should be able to talk about it as a win.”—Katie Moussouris, CEO, Luta Security
“In the end, when the bug is fixed, not covered up, everybody should be able to talk about it as a win,” Moussouris says. Uber used its bug bounty program “not just to hide ransom payments, but also to get hackers to sign NDAs for a pittance. And that’s bad for security.”
Organizations may make case-by-case decisions on how to handle vulnerabilities and the hackers who discover them, but vulnerability cover-ups, paid or unpaid, directly conflict with the spirit of U.S. Department of Justice vulnerability disclosure guidelines, published in July, which are intended to promote “a clear understanding between organizations and those doing the vulnerability hunting,” as well as consumers, says a Justice Department official familiar with the guidelines. And “there are unintended consequences.”
Third-party bug bounty platform managers can play an important role in tamping down on abuses that can harm consumers, says Casey Ellis, the CTO and founder of HackerOne competitor Bugcrowd. Companies like his, he says, have an ethical responsibility to prevent abuses—including not processing large payments that don’t fit within the terms of the bug bounty.
“We’ve got hackers on the platform who are 15, 16, 17 years old. If we’re taking some kind of ownership of seeing this community grow, then we’re responsible for keeping it from harm,” he says. “Saying no is an option.”
Clarification: Updated to reflect that Uber has denied reports that three employees who reported directly to Joe Sullivan left the company. Only one has.