What is a Bug Bounty?
Uber recently revealed they paid a hacker $100,000 to delete the personal information of 57 million users and 600,000 drivers that had been accessed in an October 2016 breach. Media reports indicate the hacker was a 20-year-old from Florida who lives with his mother.
Uber seems to have used its bug bounty program to pay the ransom, according to a Reuters report. The $100,000 check was allegedly issued through this program and was paid after the hacker proved he had deleted the information.
A bug bounty program is a controversial practice that some companies, such as Mozilla, Facebook and Google, use to uncover possible security vulnerabilities. Basically, companies pay independent researchers a fee for uncovering potential vulnerabilities within its systems. Mozilla pays a $3,000 flat rate to ethical security researchers who find bugs, while Facebook has paid as much as $20,000, according to TechTarget.
Uber has hired HackerOne for its official bug bounty program, but the young man who allegedly breached their systems is not a part of this program. It is unclear who authorized the payment, but the sources close to the story told Reuters that then-CEO Travis Kalanick was aware of the breach and the payment was made as early as November of last year.
Bug bounty programs put companies into an ethical gray zone. While many security research companies, such as HackerOne, have specific guidelines to help protect both the researchers and any potential victims, these programs leave the door open to pay outside parties for stealing information. Also, customers are not aware that a third-party accessed their information, which raises questions about privacy.