In 2017 we saw more data breaches, phishing scams, ransomware, state-sponsored attacks than ever before. And while each one was damaging in their own right and continue to shape cybersecurity, one breach in particular stood out: the Uber breach. Not necessarily for the impact or the type of breach, but for what happened afterwards.
For those of you catching up, this past November Uber disclosed that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom. Uber concealed its payment to the hacker internally and externally by making it look like the ransom was made through the company’s bug bounty program.
While the details continue to emerge, the information we already know holds significant ethical implications, not only for cybersecurity but also for the bug bounty community at large. Discussion around bug bounty ethics, disclosure and what actually constitutes a bug bounty payment has taken center stage. Our CSO, David Baker provided some good guidance in his recent blog post. A bug bounty is not a ransom paid to hackers who find a vulnerability, exploit it, then attempt to sell that information back to an organization. A bug bounty program is defined by a clear scope, guidelines and managed by a proven process. From an ethical standpoint this Uber situation creates confusion and potentially damages the growth of the researcher/organization relationship—despite the fact that it was clearly an extortion payout, and not a true bug bounty payout. Having a trusted partner to help this relationship along is key.
But that is not the whole story. According to the New York Times, by demanding that the hackers destroy the stolen data, Uber may have violated a FTC rule on breach disclosure. Additionally, the company may have also violated state breach disclosure laws by not disclosing the theft of Uber drivers’ stolen data. There is a clear responsibility for an organization to disclose the breach, to alert and reduce the risk to those impacted. Using money to pay malicious hackers not to cause damage may sometimes be rational, but breaking the law never is.
We’ve been very active in providing thoughts on the matter given we are founded on the principles of making the internet a safer place and providing opportunities for the global research community to make a living. It’s our responsibility to be proactive about preventing this type of misuse, and the confusion and ethical questions that come with it.
Bug bounties are set up to connect two groups of individuals that need each other, whether they like it or not. But just like any other developing relationship, it takes work. A slip-up, like Uber, can threaten this relationship. But at the same time, more and more companies are taking this on because they know the value that comes of it.
But the Uber breach isn’t the only event that caused confusion recently. Take it from DJI, bug bounty programs are not easy. The right partner will help create a competitive program that draws the best researchers and provides the results organizations are looking for.
There is still a lot yet to discover and we definitely want to keep the conversation alive. We will be hosting a webinar after the congressional hearings in early February.
