In the aftermath of revelations that Uber kept a 2016 breach hidden for a year and paid ransom to a hacker, the ride-sharing company has tweaked its bug bounty program, which operates under Hacker One, to prevent further missteps.
The new terms for researchers, now found in a single location, “provide more specific guidance on what good faith vulnerability research looks like and what type of conduct falls outside that,” Lindsey Glovin, security analyst, product security, and Rob Fletcher, product security engineering manager, wrote in a blog post. “We’ve also added specific instructions on what to do if a researcher comes in contact with user data while researching vulnerabilities.”
For more than a year, even as it negotiated with regulators in the U.S. over privacy infractions, Uber hid a massive hack that resulted in cyberthieves pilfering the personal information of 57 million customers and drivers and prompted the company to fire two executives, including its chief security officer, Joe Sullivan.
Researchers will receive an additional $500 — for their resolved report — added to the final bounty “if they include a fully scripted POC in their original report,” they said. That way, Uber can “quickly and thoroughly test issues once they are resolved, and run the POC again down the line” so the company can ensure no regressions have occurred.
Uber touted the success of its bug bounty program. “While the volume of reports we receive on a regular basis is trending down, the percentage of paid reports continues to increase, meaning we’re spending more time triaging and rewarding valid reports,” Fletcher and Glovin wrote, noting that the company had paid out more than $290,000 and resolved nearly 200 issues, since its last update on the program. That brings the total paid out to more than $1.4 million.