Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Businesses Communications Privacy Security

Uber Tightens Bug Bounty Extortion Policies Following 2016 Data Breach (threatpost.com) 16

lod123 shares a report from Threatpost: Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion. With the updates, Uber's HackerOne bug bounty policies more thoroughly outline "good-faith vulnerability research and disclosure," and contain language defining what constitutes unacceptable behavior, stating that the company wants researchers "to hunt for bugs, not user data."

One newly outlined policy makes it clear that Uber won't take legal action against researchers -- as long as they report vulnerabilities with no strings attached. "You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached," the policy said. Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report.

This discussion has been archived. No new comments can be posted.

Uber Tightens Bug Bounty Extortion Policies Following 2016 Data Breach

Comments Filter:
  • Crowdsourced ... (Score:4, Insightful)

    by CaptainDork ( 3678879 ) on Friday April 27, 2018 @04:57PM (#56516209)

    ... infosec. What horseshit.

    Uber apparently has no security force in-house.

  • by greenwow ( 3635575 ) on Friday April 27, 2018 @04:58PM (#56516219)

    They're going "Microsoft."

  • $500?? what did they pay for person that died finding the deadly bug in there self driving car?

  • That seems like awfully small potatoes. Especially for a company like Uber. I can't imagine it's too hard to dig up dirt on them, and it might not be a bad idea to pay more so the bugs don't show up in the black market first. I could see many a journalist (real ones, not the pro-Uber corporate ones on major networks) getting their hands on all sorts of fun stuff.
  • I think the paltry amount of money Uber is offering is an indication of how much they really care about the program. $500 isn't enough to motivate anybody. Black hats will laugh at the money and white hats will consider it an insult.

    I remember decades ago, when a software company offered a free car to anybody who could find a bug. "A [volkswagon bug] for a bug."

To stay youthful, stay useful.

Working...