Uber to Update 'Bug Bounty' Policies After 2016 Data Breach: Executive

Advertisement
By Reuters | Updated: 26 April 2018 18:24 IST

Uber on Thursday plans to announce changes to how it rewards cyber researchers who report flaws in its software, a company executive told Reuters, as part of the ride-hailing firm's response to concerns raised about the way it handled a data breach in 2016.

Among the changes to Uber Technologies's so-called bug bounty program are new terms that more clearly define what Uber does and does not consider "good faith" vulnerability research, John Flynn, the company's chief information security officer, said in an interview.

Advertisement

"We're clarifying the difference between researchers that act in good faith and people who don't," Flynn said. "We're doing a better job about being explicit about what those things are, because it's important these programs have high integrity."

Uber will also update its policies to specifically state that it will not pursue or recommend legal action against good-faith hackers who submit flaws through its "bug bounty" portal. It will provide support to those who may face litigation from others as a result of a bug submission.

Advertisement

The changes are the first made to Uber's bug bounty platform since the company revealed last November the 2016 data breach of 57 million user credentials, including names, phone numbers and email addresses.

Reuters reported in December that a 20-year-old man was primarily behind the breach, and that he was paid by Uber to destroy the data through the bounty platform after receiving an email from anonymous person demanding money in exchange for user data.

Advertisement

The large size of the payment and Uber's use of the bounty system led some security researchers to criticize the company and suggest it had sought to conceal a criminal breach.

"An unfortunate reaction to all this was the doubt cast by some people on whether companies should run bug bounty programs at all," Flynn said.

Advertisement

Uber apologized for how it handled the breach months after new Chief Executive Dara Khosrowshahi was installed following founder Travis Kalanick's ouster. The company fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark.

As part of the changes, Uber will test an option allowing researchers to donate their bounties to charity, which the company will match. The company will also update its submission form to include a question that asks whether personal consumer information may be exposed through the discovered flaw.

Flynn said the added question is intended to more quickly trigger review internally as to whether regulators may need to be notified, a change intended to avoid repeating mistakes made during its response to the 2016 breach. A European data privacy law taking effect next month will require companies to disclose within 72 hours whether user data has been compromised.

Marten Mickos, the chief executive of HackerOne, which hosts Uber's bug bounty program and provided input on its updates, welcomed the changes but said they alone would not guarantee Uber would avoid its previous mistakes.

"It's not the main thing that was missing in 2016," said HackerOne Chief Executive Marten Mickos. "The main failure in 2016 was not notifying the authorities."

© Thomson Reuters 2018

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Apps, Internet, Uber, Uber Bug Bounty
Advertisement

Related Stories

Popular Mobile Brands
  1. Oppo Reno 16, Reno 16c Make Their Debut in India at These Prices
  2. Samsung Galaxy Jump 5 Debuts As a Rebranded Version of This Smartphone
  3. Amazon Prime Day 2026: Best TWS Earphone Deals
  4. OTT Releases This Week: Elle, Super Subbu, Enola Holmes 3, and More
  5. HP ProBook 4 G2a Review: The Reliable New Daily Driver for Work
  1. Oppo Enco Air 5 With Up to 52dB ANC, Up to 54 Hours Battery Launched in India: Price, Features
  2. Apple Reportedly Cuts iPhone 17 Series Production Plans by 15 Percent as Demand Softens
  3. Moto G77 Power Set to Launch in India Next Week; Price Range, Specifications Revealed
  4. CMF's Himanshu Tandon Announces Exit Weeks After Firm Confirms 2026 Phone Strategy
  5. Onimusha: Way of the Sword Release Date Moved Up to September 4 Amidst Busy Release Period
  6. HP HyperX Omen 16 Valorant Limited Edition With RTX 5060 GPU, 16GB RAM Launched in India: Price, Features
  7. Red Magic Gaming Tablet 5 Pro Launched With 185Hz OLED Display, Snapdragon 8 Elite Gen 5 Chip
  8. Samsung Galaxy Jump 5 Launched With 5,000mAh Battery, Snapdragon 6 Gen 3 Chipset: Price, Specifications
  9. Lumio Announces Project Neo Public Beta for AI-Powered Content Discovery on Lumio Vision TVs, Arc Projectors
  10. Oppo Reno 16, Reno 16c Launched in India With 50-Megapixel Cameras: Price, Specifications
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.