AN FRANCISCO: Uber on Thursday plans to announce changes to how it rewards cyber researchers who report flaws in its software, a company executive told Reuters, as part of the ride-hailing firm’s response to concerns raised about the way it handled a data breach in 2016.
Among the changes to Uber Technologies Inc‘s so-called bug bounty program are new terms that more clearly define what Uber does and does not consider “good faith” vulnerability research, John Flynn, the company’s chief information security officer, said in an interview.
“We’re clarifying the difference between researchers that act in good faith and people who don’t,” Flynn said. “We’re doing a better job about being explicit about what those things are, because it’s important these programs have high integrity.”
Uber will also update its policies to specifically state that it will not pursue or recommend legal action against good-faith hackers who submit flaws through its “bug bounty” portal. It will provide support to those who may face litigation from others as a result of a bug submission.
The changes are the first made to Uber’s bug bounty platform since the company revealed last November the 2016 data breach of 57 million user credentials, including names, phone numbers and email addresses.
Reuters reported in December that a 20-year-old man was primarily behind the breach, and that he was paid by Uber to destroy the data through the bounty platform after receiving an email from anonymous person demanding money in exchange for user data.
The large size of the payment and Uber’s use of the bounty system led some security researchers to criticize the company and suggest it had sought to conceal a criminal breach.
“An unfortunate reaction to all this was the doubt cast by some people on whether companies should run bug bounty programs at all,” Flynn said.