Bug bounties have come a long way since the days when the best reward a researcher could hope for was a one-line acknowledgement in a security advisory, or a t-shirt. Reward programs for researchers who report vulnerabilities to vendors have matured greatly recently, and changes that Uber is making to its bounty system show that it’s not just about the money anymore.
Uber started its bounty program more than two years ago, and the company has paid out more than $1.4 million to researchers in that time and has fixed nearly 900 bugs. But the company also went through a data-breach controversy last fall that involved the data of about 57 million users. The breach occurred in 2016 but only came to light in November after the company said it had identified the people who accessed the data on a third-party cloud platform. Uber officials reportedly paid a large bounty to the hackers who accessed the user and driver data and aid they received assurances that the data was destroyed.
In the months following the breach disclosure, Uber has been working on new rules of engagement for its bug bounty program. One of the major changes is that the company’s policy now explicitly spells out what good faith security research looks like.
“You should only interact with Uber accounts you own or with explicit permission from the account holder. We want you to hunt for bugs, not user data,” the Uber policy on the HackerOne bounty platform says.
Researchers who do encounter user data during the course of their work are asked to stop their research and report the issue to the Uber bug bounty team immediately, and ensure that they don’t store, copy, disclose, or transfer the user data. The new policy also includes language defining what constitutes unacceptable actions.
“You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached,” the policy says.
"We want you to hunt for bugs, not user data."
The updates to Uber’s policy arrive during a time when the definitions of research and hacking are becoming murkier by the day. Last week news emerged that Canadian authorities have charged a 19-year-old man with a computer crime after he discovered publicly available records sitting on a government web server. The records included sensitive information on 250 people.
“The fact that the government was publishing documents that contained sensitive data in a public website without any passwords or access controls demonstrates their own failure to protect the private information of individuals,” Katitza Rodriguez and Aaron Mackey of the EFF wrote in an analysis of the case.
In its new policy, Uber makes it clear to researchers that as long as they abide by the terms of the program, the company won’t take legal action against them.
“If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program,” the policy says.
Such reassurances are necessary for researchers who are trying to navigate an increasingly complicated technical and legal landscape.