Senate Hearing Examines Bug Bounty Programs in the Context of the Uber Data Breach
On February 6, 2018, the Senate Committee on Commerce, Science and Transportation’s Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security held a hearing on the 2016 Uber data breach and bug bounty programs. With the proliferation of connected devices and services, bug bounty and vulnerability disclosure programs are increasingly of interest. Companies should be aware of these programs as Congress and the Executive Branch continue to examine them.
The 2016 Breach
In 2016, Uber was victimized by a data breach. Uber did not report the incident to regulators or customers, and acknowledged that it paid the hackers $100,000.
The Senate Committee is looking at this incident with an eye toward securing the ecosystem and improving breach and vulnerability response. During the hearing, Chairman Moran asked John Flynn, Uber’s Chief Information Security Officer, about the company’s incident response. Mr. Flynn stated that Uber should have notified customers sooner and that the company has implemented processes to improve future responses.
Bug Bounty Programs
The hearing also examined bug bounty programs, which Subcommittee Chairman Moran (R-KS) defined as “a reward offered to someone outside of the company who identifies an error or vulnerability in a computer program or system in connection with a coordinated vulnerability disclosure program.”
Mårten Mickos, HackerOne’s Chief Executive Officer, was a witness. HackerOne manages bug bounty programs for third parties. Mr. Mickos described vulnerability disclosure programs as a useful “neighborhood watch” for software and observed that the federal government—particularly the Department of Defense (DOD)—is an “innovator” in the arena.
When Chairman Moran asked about the bounties paid for vulnerability disclosure, Mr. Mickos said that a market has begun to form as companies have now paid tens of thousands of bounties. He noted that the bounty is determined by the company offering the bounty, and the primary factor is the nature of the vulnerability. Per vulnerability, bounties average around $500 but can go as high as $250,000.
Mr. Mickos stated that companies like HackerOne are not in the incident response business, but rather the breach prevention business. Organizations normally join HackerOne through an invitation-only program, and Mr. Mickos noted that the FTC, National Telecommunications & Information Administration (NTIA) within the Department of Commerce (DOC), Food and Drug Administration (FDA), National Highway Traffic Safety Administration (NHTSA), and the Department of Justice (DOJ) have declared vulnerability disclosure programs a “best practice.” He called for government-endorsed best practices that require disclosure programs and claimed that “ethical hacking may be the only force that can stop criminal hacking.” He also recommended that the senators read HackerOne’s 2018 report.
Senators asked whether Uber had a bug bounty program during the 2016 breach. According to Mr. Flynn, Uber started its bug bounty program in 2015, but the 2016 hackers were unaware of the program. Uber invited the hackers to join the program after Uber discovered the breach, which Mr. Flynn claimed is not an unusual practice. He said that it was not clear to Uber that the hackers were a criminal element before the company invited them into the program. Instead, the hackers exploited the vulnerability to download consumer data and extort funds. Mr. Flynn agreed that such conduct needs to be immediately reported to law enforcement and consumers, and said that bug bounties need processes and procedures for when extortionate activity occurs.
Vulnerability disclosure programs have recently been examined by the International Standards Organization (ISO) and NTIA, and may be added to the Framework for Improving Critical Infrastructure Cybersecurity created and now being revised by the National Institute of Standards and Technology (NIST).
These are complicated issues for any company worried about cybersecurity and considering what innovations they might want to adapt. It remains to be seen what comes next, whether from Congress or the Executive Branch. But these programs are unlikely to go away.