Uber Tightens Bug Bounty Extortion Policies Following 2016 Data Breach (threatpost.com) 16
lod123 shares a report from Threatpost: Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion. With the updates, Uber's HackerOne bug bounty policies more thoroughly outline "good-faith vulnerability research and disclosure," and contain language defining what constitutes unacceptable behavior, stating that the company wants researchers "to hunt for bugs, not user data."
One newly outlined policy makes it clear that Uber won't take legal action against researchers -- as long as they report vulnerabilities with no strings attached. "You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached," the policy said. Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report.
One newly outlined policy makes it clear that Uber won't take legal action against researchers -- as long as they report vulnerabilities with no strings attached. "You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached," the policy said. Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report.
Crowdsourced ... (Score:4, Insightful)
... infosec. What horseshit.
Uber apparently has no security force in-house.
$500 (Score:2)
Pleased that they are offering so much more than the market rate for vulnerabilities.
Re: (Score:2)
It goes beyond even just no strings attached, too; they're making a preemptive threat against people who don't agree to their terms, who might want to offer them different terms. They seem to consider offering them something on proposed terms to be a "shakedown."
My advice to security researchers, if you find an Uber bug, sell it to Uncle Sam instead.
Re: (Score:2)
Hey on the bright side, in addition to the $500 you also get a coupon for half-off-your-first-month's LifeLok service!
It's like they want to discorage bug reports (Score:3, Interesting)
They're going "Microsoft."
Re: (Score:2)
Last time I bought a laptop, I booted into Windows to make sure the hardware worked before installing linux, and it did boot and appeared to be some sort of functional desktop OS.
Definitely still runs.
$500?? what did they pay for person that died find (Score:2)
$500?? what did they pay for person that died finding the deadly bug in there self driving car?
$500 bucks? (Score:2)
Bug "bounty?" (Score:2)
I think the paltry amount of money Uber is offering is an indication of how much they really care about the program. $500 isn't enough to motivate anybody. Black hats will laugh at the money and white hats will consider it an insult.
I remember decades ago, when a software company offered a free car to anybody who could find a bug. "A [volkswagon bug] for a bug."