After the major 2016 data breach we wrote about in November, when a 20-year-old hacker exposed 57 million user’s credentials, email addresses, phone numbers and other personal data, Uber has finally updated it’s ‘bug bounty’ extortion.
Uber finally makes changes to the policy of ‘bug bounty’ program
The data leaking incident had raised questions about bug bounty programs overall. Uber apologised for inappropriate handling of the case and has been working towards improving vulnerability research platform for the better. On Thursday (April 26th, 2018) company announced its plans to make changes to its bug bounty program. The alterations will mainly focus on the main terms and rewards that are given to the deserving researchers.
John, the Chief Information Security Officer, has said in an interview:
“We’re clarifying the difference between researchers that act in good faith and people who don’t. We’re doing a better job about being explicit about what those things are, because it’s important these programs have high integrity.”
After drawing a line between what is acceptable and what is not considered a ‘good-faith’ act, Uber stated that they won’t be taking any legal actions against the well-wishing hackers and will even provide support to those who will be facing litigations from others as a result of a bug submission in HackerOne bug bounty portal.
Another change Uber will be testing in a updated platform for vulnerability researchers is the ability to donate found bounties to charity, with the company matching their contribution. Lastly, the ride-sharing company also updated the submission form which now includes the question if the personal consumer information may be exposed through the discovered security flaw.
Mixed opinions about the modifications
J. that this question should trigger a faster company’s review of a problem and if regulators should be notified instantly. Uber is hoping that this will help to prevent the repeat of its history from 2016.
However, Uber did not impress HackerOne’s chief executive Marten Mickos with the new changes to bug bounty program. Mickos said that HackerOne, which hosts Uber’s bug bounty program, is welcoming the changes, unfortunately they alone will not guarantee that Uber will avoid repeating the previous mistake, claiming that the main problem in 2016 rose from not notifying the authorities.
Hopefully Uber has learned from its own mistakes and these new updates will be good enough to stay secure because as of next month a new European data privacy law will be taking effect, requiring companies to disclose within 72 hour range if user data has been compromised. In a nutshell, if Uber will mess up ‘the second chance’ this time there may not be the ‘third’, especially when the rivals are coming after.
