Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Tightens Bug Bounty Extortion Policies Following 2016 Data Breach (threatpost.com)

Posted by BeauHD on from the tighten-down-the-hatches dept.

lod123 shares a report from Threatpost: Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion. With the updates, Uber's HackerOne bug bounty policies more thoroughly outline "good-faith vulnerability research and disclosure," and contain language defining what constitutes unacceptable behavior, stating that the company wants researchers "to hunt for bugs, not user data."

One newly outlined policy makes it clear that Uber won't take legal action against researchers -- as long as they report vulnerabilities with no strings attached. "You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached," the policy said. Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report.

16 comments

  1. Crowdsourced ... by CaptainDork · · Score: 3, Insightful

    ... infosec. What horseshit.

    Uber apparently has no security force in-house.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Crowdsourced ... by Anonymous Coward · · Score: 0

      but...$500!!!

  2. It's like they want to discorage bug reports by greenwow · · Score: 2, Interesting

    They're going "Microsoft."

    1. Re:It's like they want to discorage bug reports by Anonymous Coward · · Score: 0

      I reported a problem with WordPad, and instead of thanking me, they threatened me and found my home address. Sounds like Uber, like Microsoft, wants people to sell exploits on the black market instead of reporting them.

    2. Re:It's like they want to discorage bug reports by Anonymous Coward · · Score: 0

      The last exploit I submitted to Microsoft got me a civil suit against me from them, so it does sound like they're going "Microsoft."

    3. Re:It's like they want to discorage bug reports by Anonymous Coward · · Score: 0

      I asked a question in Microsoft's help forums about why sharing a single folder on the LAN also shares the entire $USER directory. I got banned without an answer. I use Fedora now... No more bullshit.

    4. Re: It's like they want to discorage bug reports by Anonymous Coward · · Score: 0

      How does Microsoft software run these days? I haven't used any since 2005.

    5. Re: It's like they want to discorage bug reports by Aighearach · · Score: 1

      Last time I bought a laptop, I booted into Windows to make sure the hardware worked before installing linux, and it did boot and appeared to be some sort of functional desktop OS.

      Definitely still runs.

  3. $500 by bagofbeans · · Score: 1

    Pleased that they are offering so much more than the market rate for vulnerabilities.

    1. Re:$500 by Anonymous Coward · · Score: 0

      You are so right. Here's the problem with a $500 bounty:

      1) Anyone trying to legitimately make a living (or make it worth their free time) hunting for vulnerabilities will turn to finding flaws in other systems which pay far better, thus leaving Uber more exposed.

      2) Anyone who doesn't have a 100% good conscious who does find a flaw, is likely to sell the vulnerability to someone who can pay far more, whether that be a malware vendor/distributor, criminal enterprise or hacker, or release it in the wild to spite Uber (which is realistic considering the dishonorable track record the company has).

      Give it to Uber no strings attached? Seriously? Good luck Uber. This approach of outsourcing your pen testing to $500 is going to fail you. If you are going to have a bounty program, do it right. Don't insult the people you're secretly trying to exploit.

    2. Re:$500 by Aighearach · · Score: 1

      It goes beyond even just no strings attached, too; they're making a preemptive threat against people who don't agree to their terms, who might want to offer them different terms. They seem to consider offering them something on proposed terms to be a "shakedown."

      My advice to security researchers, if you find an Uber bug, sell it to Uncle Sam instead.

    3. Re:$500 by humankind · · Score: 1

      Hey on the bright side, in addition to the $500 you also get a coupon for half-off-your-first-month's LifeLok service!

  4. $500?? what did they pay for person that died find by Joe_Dragon · · Score: 1

    $500?? what did they pay for person that died finding the deadly bug in there self driving car?

  5. $500 bucks? by rsilvergun · · Score: 1

    That seems like awfully small potatoes. Especially for a company like Uber. I can't imagine it's too hard to dig up dirt on them, and it might not be a bad idea to pay more so the bugs don't show up in the black market first. I could see many a journalist (real ones, not the pro-Uber corporate ones on major networks) getting their hands on all sorts of fun stuff.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  6. Re:$500?? what did they pay for person that died f by ChocoIncognito · · Score: 0

    You mean that bug where the user didn't have their hands on the wheel for over 6 seconds while the system warned loudly about it? OH THAT BUG?

  7. Bug "bounty?" by humankind · · Score: 1

    I think the paltry amount of money Uber is offering is an indication of how much they really care about the program. $500 isn't enough to motivate anybody. Black hats will laugh at the money and white hats will consider it an insult.

    I remember decades ago, when a software company offered a free car to anybody who could find a bug. "A [volkswagon bug] for a bug."