Cyber-security gets more complicated by the day. Companies face evolving technology, a regulatory hammer, and the complexity of breach notification rules that vary state-by-state.

There are also tough ethical decisions to consider. When does the transparency of breach disclosure become an invitation and blueprint for other hackers?  Should you pay the hackers behind a ransomware attack or adopt a “we don’t negotiate with terrorists” philosophy? Where, and how, does the line blur between “white hat” and “black hat” hackers? Are so-called “bug bounties” a viable security initiative, or a slippery slope?

Touching upon these debates is Uber, the app-enabled ride-sharing service as well known for its bad behavior as its phenomenal growth and forthcoming IPO. In recent months, it has batted down allegations of sexual harassment, unfair surge pricing, raped riders, sexual harassment within a divisive company culture, underpaying drivers, and allegedly stealing autonomous driving trade secrets from Google’s parent company, Alphabet.

Topping it off, Uber also finds itself in in the crosshairs of hackers. How it responded to breaches has attracted Congressional scrutiny.

On Feb. 7, the Senate Commerce Committee held a hearing to dig deep into Uber’s latest data theft and its use of “bug bounty” programs that reward hackers for finding security gaps that might otherwise be exploited.

A bug bounty is a reward offered to someone outside of the company who identifies an error or vulnerability in a computer program or system. The usual process is coordinated with an established vulnerability disclosure program.

The hearing provided an opportunity to lambast Uber for taking nearly a year to disclose a 2016 security breach that compromised the personal data of nearly 57 million drivers and riders. Hackers accessed the data through a third-party, cloud-based storage service.

Uber, by its own account, was notified by anonymous sources that archived copies of its databases had been compromised. The parties responsible were identified and the company paid $100,000 to them in exchange for promises that the compromised data would immediately be deleted.

Chief Information Security Officer John Flynn was contrite, testifying that “there is no justification” for how Uber handled the entire situation.

“We should have notified our customers at the time this did occur, and it was a mistake not to do so,” he said of the breach.

Members of the Committee were not satisfied with Uber’s drawn out disclosure timeline and the choice to pay a data ransom.

“There ought to be no question that Uber’s payment of this blackmail without notifying consumers who were gravely at risk was morally wrong and legally reprehensible,” said Sen. Richard Blumenthal (D-Conn.), describing the $100,000 payment as the price tag “to destroy evidence and keep quiet.”

“In a sense, it was almost an obstruction of justice,” he added.

“The fact that the company took approximately a year to notify impacted users raises red flags as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” said Chairman Jerry Moran (R-Kan.). “My colleagues and I seek specific clarification as to what policy safeguards are currently in place to prevent bug bounty programs from being used as extortion pay-out mechanisms in the future.”

Moran said that properly run bounty programs were not a bad thing. It was Uber’s execution of such a program that was troubling.

“The ecosystem for rewarding bug hunting is skewing the markets toward more bug hunters, but not necessarily more bug fixers. This imbalance that is being created in these markets may very well shift the ecosystem towards rewarding data theft more than bug hunting.”
Katie Moussouris is the founder and CEO of Luta Security

“These substantive concerns, however, should not completely outweigh the overall utility of this innovative, crowd-sourced approach that many industry actors have taken to proactively identify ‘chinks in their technological armor’ through effectively administered bug bounty programs and other cyber-vulnerability disclosure efforts,” he said.

The Uber breach further “underscores the need for comprehensive and strong federal legislation that will provide adequate protections to consumers,” added Sen. Bill Nelson (D-Fla).

In response, Nelson and Blumenthal have, once again, introduced the Data Security and Breach Notification Act, legislation that would require companies to secure their data and to promptly notify consumers when there is a breach.

The bill would create the first-ever federal standard for disclosing breaches and would impose criminal penalties on corporate officials that willfully disguise or hide breaches from the public.

The bill, introduced on Nov. 30 and labelled S. 2179 in the Senate, in greater detail:

requires companies to notify consumers that they have had a security breach within 30 days.

institutes a maximum five-year prison sentence for intentionally hiding such a breach.

creates financial incentives for companies or organizations that utilize technologies that make consumer information unreadable in the event of a breach.

“Any such bill cannot simply cater to corporate interests,” Nelson said. “We should not adopt federal legislation that undercuts the Federal Trade Commission’s existing, longstanding, and well-established authority; nor should we consider a bill that eviscerates all state legal protections and replaces them with weak federal standards. I can only support a data security bill that provides consumers with protections that are stronger than current ones. It would be better for Congress to pass no bill at all than pass a bill that provides consumers with less protections under the status quo.”

The prospect of greater oversight and harsher penalties could trigger an even greater need for bug bounty hunters.

In his testimony, Flynn described bug bounty programs as “a critically important tool” and one widely used as part of comprehensive data security programs.

“All complex systems have “bugs”—imperfections unintentionally written within the software’s code.  Sometimes these bugs create vulnerabilities, which could be exploited by an intruder to gain access to confidential data,” he added. “Security teams across the industry, including those at Uber, invest heavily in preventing and identifying as many of these bugs as we can before code is updated in our products.”

Due to the evolving nature of software, however, programmers continuously update code by augmenting, rewriting, and overwriting their prior work. “That process inevitably results in unexpected errors and vulnerabilities,” Flynn said. “To help mitigate this reality, bug bounty programs allow companies to access additional skilled individuals to augment our in-house engineers. This outside perspective is also valuable in providing a fresh set of eyes and new ways of thinking to help our security teams address various challenges with innovative solutions.”

Participants in bug bounty programs typically respond to specific guidelines, as well as defined parameters regarding the types of systems that should be searched. For example, Uber posts a “treasure map” online to tell researchers where to look for bugs in our systems. “It points our researchers to the systems we care the most about,” Flynn said.

Uber’s current program, hosted by HackerOne, offers a combination of public recognition and monetary bounties as incentives for researchers to search products and Websites for potential bugs. 

Monetary bounties vary in size, from hundreds of dollars to hundreds of thousands of dollars, depending on the severity of the bug.  Companies may also offer physical items, such as branded apparel, commemorating bugs that are found, as a non-monetary reward for the researcher.

Since its initial launch, Uber’s bug bounty program has helped resolve more than 800 system vulnerabilities.  The program’s monetary payout stands at approximately $1.3 million in total.

“For us, this bug bounty program has been incredibly valuable, achieving very significant improvements in our data security posture for a relatively modest expenditure,” Flynn said. “Our bounties typically range from a few hundred dollars to several thousand dollars— depending on the impact and severity of the bug.”

Returning to the $100,000 paid to appease Ubers hackers, Flynn, who was not directly involved, said the “primary goal in paying the intruders was to protect our consumers’ data.”

Nevertheless, “this was not done in a way that is consistent with the way our bounty program normally operates. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.” 

Flynn added: “We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company.  The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed. While the use of the bug bounty program assisted in the effort to gain attribution and, ultimately, assurances that our users’ data were secure, at the end of the day, these intruders were fundamentally different from legitimate bug bounty recipients. Going forward, Uber is revisiting its incident response approach in circumstances such as these.”

Martin Mickos is the chief executive officer of HackerOne, a leading bug bounty firm serving a variety of government and private-sector clients, including Uber, in administering crowd-sourced vulnerability disclosure programs. As of January 2018, more than 160,000 white-hat hackers have registered with HackerOne.

Mickos said that pricing, in the bug catching world, has started to evolve. The main factor is the severity of a vulnerability attack. He sees, in the current market, a ground floor of $500 and top-tier pricing of $250,000.

“A vulnerability disclosure program is essentially a neighborhood watch for software,” Mickos says.

Security experts may be described using a variety of titles including “ethical hacker,” “white hat,” “security researcher,” “bug hunter,” and “finder.”

“One title is conspicuously absent: criminal,” he testified. “Bug bounty platforms offer no benefit to someone with criminal intent. On the contrary, we record data about every hacker on the platform and only reward actions that follow the rules. For these reasons, criminals go elsewhere.”

There are concerns, however, that if companies like Uber give in to ransom demands, the marketplace for ethical hackers and bug finders will be thrown out of balance.

Katie Moussouris is the founder and CEO of Luta Security, which advises clients on vulnerability coordination programs and applicable internal company policies. She fears the creation of “perverse incentives.”

“You may create an environment where it is much more lucrative to spend your time looking for bugs than it is to develop fixes or new code,” Moussouris said. “We do need to be aware of this market we are creating and make sure we are not over-skewing and over-rewarding.”

The goal, she said, is setting these incentives at an appropriate level “where you are drawing out interest and the creativity of the hacker community to work with you, but not setting them too high for something that is not sufficiently rare.”

“The ecosystem for rewarding bug hunting is skewing the markets toward more bug hunters, but not necessarily more bug fixers,” Moussouris added. “This imbalance that is being created in these markets may very well shift the ecosystem towards rewarding data theft more than bug hunting. There is a difference between paying $10,000 for a bug and paying $100,000 for a breach. If the legal market for bugs becomes muddied with extortion payments that are exponentially higher, we will be building the wrong kind of market, and consumers will be the victims instead of the beneficiaries of enhanced work with hackers.”