The federal indictment of Uber’s former CSO for allegedly covering up an extortion payment by making it look like a bug bounty reward, should serve as a stern warning to companies: create more precisely defined parameters of what constitutes a legitimate vulnerability disclosure transaction, then more strictly enforce them.
Additionally, businesses need to better understand the legalities that differentiate an above-the-board bug bounty payment from an illicit cover-up.
According to a Department of Justice criminal complaint, Uber deviated from its normal bug bounty procedures when in 2016 it shelled out $100,000 to two men who had used stolen login credentials to hack into a company account containing information on roughly 57 million Uber customers and drivers. Joe Sullivan, who was CSO at the time, allegedly hid the incident from the Federal Trade Commission, which had previously imposed certain demands on Uber to disclose any breach activity following a previous incident in 2014.
(The complaint also states that Uber's former CEO Travis Kalanick was aware of the circumstances; however, Kalanick is not mentioned by name, nor were charges filed against him.)
The complaint further notes that the terms and conditions of Uber’s bug bounty program “did not authorize rewarding a hacker who had accessed and obtained personally identifiable information of users and drivers from Uber-controlled systems.” Among those systems were AWS storage buckets, which is precisely what the two hackers – later identified as Brandon Glover of Winter Springs, Florida and Vasile Mereacre of Toronto, Canada – compromised.
Sullivan’s request that the hackers sign NDAs to keep details quiet was also atypical, and the NDA documents falsely claimed that the hackers never acquired data, the complaint adds. Moreover, the $100,000 payment was “by far the largest bounty that Uber had ever paid through the program,” which had officially established the maximum payment at only $10,000.
"What took place in 2016 was clearly extortion, not a bug bounty payment,” asserted Casey Ellis, founder and CEO of vulnerability disclosure platform provider Bugcrowd. “In a bug bounty program, the terms of engagement – including payment – are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for misunderstanding. In extortion, it's the other way around, and the threat of data exposure puts pressure on payment.”
There appear to be two issues at play here: understanding legal and regulatory standards, and establishing your own sound internal business policies.
Laws & regulations
Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton Andrews Kurth, told SC Media that each U.S. state has instituted its own bare minimum thresholds for when a company must submit a data breach notification. For instance, one commonality along all 50 states is requiring notification if driver's license numbers are acquired by an unauthorized party.
Sotto said the data subject to various breach notification laws "is actually very carefully delineated, and includes data elements like social security number and driver's license number; in some states, health information; [and] in all states, financial account number."
There is an expectation that companies familiarize themselves with these requirements and also ensure they are not running afoul of any regulatory statutes or paying off entities who have been placed on federal sanction lists, such as the cybercrime group known as Evil Corp.
It is also worth noting that in addition to obstruction of justice, prosecutors charged Sullivan with "misprision of a felony" – in other words, the active concealment of the commission of a major crime from the authorities. But then what about when companies silently pay off ransomware attackers that don't steal any data but encrypt files and disrupt operations? Is that also concealing a felony?
From a law enforcement and legal perspective, ransomware payments are "an area that still needs to be explored," said Sotto, who said it's always advisable for companies to seek legal expertise in any cyberattack scenario.
Brian Gorenc, senior director of vulnerability research and head of Trend Micro’s Zero Day Initiative, agreed with this strategy.
“Companies need to involve their legal counsel when responding to incidents to avoid even the appearance of impropriety," said Gorenc. "The line between ransomware payment and blackmail payment can be fuzzy depending on business types – private or publicly traded – and locales. Incident responders should also have a good understanding of any relevant legislation that may impact both their actions and their disclosures.”
Setting corporate policies
Aside from following the law, companies should also take care that their bug bounty payments are adhering to responsible corporate policies that define what constitutes a legit payment and what constitutes extortion.
For instance, perhaps a hacker finds an exploitable vulnerability and threatens to publish it without giving the company adequate time to fix it, unless he receives a higher reward than the company was initially willing to give. If the company acquiesces, has it given in to extortion?
In these type of dilemmas, “The question really comes down to whether they would have purchased a bug report under normal circumstances,” said Gorenc. “Another key is price. If bug ‘A’ is worth $10,000 one week but worth $50,000 the next, something is likely amiss. There’s also the question of what action you take after you purchase a bug report. Do you attempt to fix it or do you just sit on the report? If you’re buying bug reports you wouldn’t normally purchase, overpay for them, and make no attempt to fix them, it’s likely you’re attempting to cover something up.”If you’re buying bug reports you wouldn’t normally purchase, overpay for them, and make no attempt to fix them, it’s likely you’re attempting to cover something up.”
Of course, sometimes bug bounty programs leave room for interpretation – and that’s why clear and concise contractual language is so important.
“If you are going to run a bug bounty program, you need to be very clear with what is in scope and how the disclosure process works," said Gorenc. "Can researchers talk about their findings once fixed? Do companies take action on bugs they haven’t contracted yet? Are fixed bugs documented? All of these things – and a lot more – need to be defined before a program starts.”
Similarly, companies are advised to develop their own internal policies for data breach notification. For instance, a company may consider alerting the public if certain user contact information has been illegally acquired, even if the law doesn't necessarily require such an action, Sotto explained.
One way to ensure a more rock-solid bug bounty policy is to rely on a credible third-party vulnerable disclosure platform or program. Such services "put strict boundaries around how to manage this bug bounty framework, and absolutely stick within those parameters," said Sotto.
In 2019, Glover and Mereacre pleaded guilty in federal court to hacking into the GitHub accounts of Uber employees in order to find and steal AWS storage credentials. Ellis expressed concern that the actions of Uber and the two convicted hackers hurt the white hat hacking community, which has come so far in terms of gaining the trust of private and public institutions so they can have the access system access needed to find and quash dangerous vulnerabilities.
“Although Uber’s original issue was clearly on the side of bad faith, it has highlighted how blurry the line is between hacking that crosses legal lines into dark territory, and the kind of hacking which can be helpful,” Ellis said. “As leaders within the cybersecurity space, we have a moral obligation to support the next generation of internet defenders as they advance the ethical hacker community forward. We must band together to fight the masses of bad actors by empowering the hackers that operate with integrity, and protecting them and their work.”
“I highly advise other industry leaders to consider the value of the ethical security researcher community. As the internet plays an instrumental role in both our daily work and personal lives, this community of cyber defenders around the world work to make the internet a safer place for everyone.”
