Sunday, Sep 27, 2020 | Last Update : 07:10 AM IST

186th Day Of Lockdown

Maharashtra130045899280634761 Andhra Pradesh6614585881695606 Tamil Nadu5693705138369148 Karnataka5572124503028417 Uttar Pradesh3785333136865450 Delhi2644502284365147 West Bengal2410592110204665 Odisha201059165432820 Telangana1838661524411091 Bihar175898161510881 Assam167374136712625 Kerala160935111327636 Gujarat1303911105923394 Rajasthan1247301042881412 Haryana1205781012731273 Madhya Pradesh117588932382152 Punjab107096840253134 Chhatisgarh9856566860777 Jharkhand7770964515661 Jammu and Kashmir69832495571105 Uttarakhand4533233642555 Goa3107125071386 Puducherry2548919781494 Tripura2412717464262 Himachal Pradesh136799526152 Chandigarh112128677145 Manipur9791760263 Arunachal Pradesh8649623014 Nagaland5768469311 Meghalaya5158334343 Sikkim2707199431 Mizoram178612880
  Technology   In Other news  26 Apr 2018  Uber to update 'bug bounty' policies after 2016 data breach: Executive

Uber to update 'bug bounty' policies after 2016 data breach: Executive

REUTERS
Published : Apr 26, 2018, 6:15 pm IST
Updated : Apr 26, 2018, 6:15 pm IST

Uber is reportedly planning to announce changes to how it rewards cyber researchers who report flaws in its software.

The changes are the first made to Uber’s bug bounty platform since the company revealed last November the 2016 data breach of 57 million user credentials, including names, phone numbers and email addresses.
 The changes are the first made to Uber’s bug bounty platform since the company revealed last November the 2016 data breach of 57 million user credentials, including names, phone numbers and email addresses.

Uber on April 26 plans to announce changes to how it rewards cyber researchers who report flaws in its software, a company executive told Reuters, as part of the ride-hailing firm’s response to concerns raised about the way it handled a data breach in 2016.

Among the changes to Uber Technologies so-called bug bounty program are new terms that more clearly define what Uber does and does not consider “good faith” vulnerability research, John Flynn, the company’s chief information security officer, said in an interview.

 

“We’re clarifying the difference between researchers that act in good faith and people who don’t,” Flynn said. “We’re doing a better job of being explicit about what those things are because it’s important these programs have high integrity.”

Uber will also update its policies to specifically state that it will not pursue or recommend legal action against good-faith hackers who submit flaws through its “bug bounty” portal. It will provide support to those who may face litigation from others as a result of a bug submission.

The changes are the first made to Uber’s bug bounty platform since the company revealed last November the 2016 data breach of 57 million user credentials, including names, phone numbers and email addresses.

 

Reuters reported in December that a 20-year-old man was primarily behind the breach and that he was paid by Uber to destroy the data through the bounty platform after receiving an email from an anonymous person demanding money in exchange for user data. The large size of the payment and Uber’s use of the bounty system led some security researchers to criticize the company and suggest it had sought to conceal a criminal breach.

“An unfortunate reaction to all this was the doubt cast by some people on whether companies should run bug bounty programs at all,” Flynn said.

Uber apologized for how it handled the breach months after new Chief Executive Dara Khosrowshahi was installed following founder Travis Kalanick’s ouster. The company fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark.

 

As part of the changes, Uber will test an option allowing researchers to donate their bounties to charity, which the company will match. The company will also update its submission form to include a question that asks whether personal consumer information may be exposed to the discovered flaw.

Flynn said the added question is intended to more quickly trigger review internally as to whether regulators may need to be notified, a change intended to avoid repeating mistakes made during its response to the 2016 breach. A European data privacy law taking effect next month will require companies to disclose within 72 hours whether user data has been compromised.

 

Marten Mickos, the chief executive of HackerOne, which hosts Uber’s bug bounty program and provided input on its updates, welcomed the changes but said they alone would not guarantee Uber would avoid its previous mistakes.

“It’s not the main thing that was missing in 2016,” said HackerOne Chief Executive Marten Mickos. “The main failure in 2016 was not notifying the authorities.”

Tags: uber, data breach, hackers