Uber overhauls bug bounty rules after breach-ransom fiasco

  • Liam Tung (CSO Online)
  • 27 April, 2018 05:46

Uber has amended the rules of its bug bounty program following the controversy over it paying hackers behind a massive 2016 data breach to destroy data acquired. 

The breach, which Uber disclosed almost a year after it occurred, affected 50 million users and 7 million drivers around the world. 

Soon after the ride-hailing firm admitted it had paid the hacker $100,000 to delete the personal data and keep quiet about the incident, concerns were raised it used its bug bounty program to facilitate a ransom payment to the hacker. Uber’s bug bounty had a maximum payout of $10,000. 

In February, following a change of guard at Uber, the company's new CISO, John Flynn, told lawmakers in Washington that Uber paid the hacker through HackerOne, a third-party bug bounty platform it uses to handle vulnerability reports from the public. 

Uber on Thursday said it had updated its bug bounty terms with HackerOne to “provide more specific guidance on what good faith vulnerability research looks like and what type of conduct falls outside that.”

The new “ground rules” include “no extortion, shake downs, or duress”, a commitment not to create more vulnerabilities, and respecting “user privacy” — a term that was not mentioned in a previous version captured by users on   

Beyond the technical scope of its bounty, the tenets of Uber's former rules  only highlighted respectful interactions with its security team and a commitment to respond to reports. 

The new terms stipulate that researchers “only interact with Uber accounts you own or with explicit permission from the account holder”. 

“We want you to hunt for bugs, not user data,” Uber says.

If researchers do discover user data, Uber expects they report the bug to it and not copy and save the information. 

“You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached,” the terms read. 

Researchers also “should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam.”

Uber says it won disqualify, suing, or supporting third-party legal action against a researchers if they conform to its terms.