Over the last five years, an unlikely romance has bloomed between hackers and top-tier tech companies.
Instead of using their powers for evil, some “white-hat” hackers have offered to find a corporation’s network vulnerabilities and, for a fee, disclose them to the owners. Although initially wary, thousands of companies have now created “bug bounty” programs, through which they pay hackers prize money for discovering and disclosing “bugs” in their systems.
Until recently, most observers saw bug-bounty programs as an unalloyed good—a way to enhance corporate cybersecurity while simultaneously turning talented hackers away from a life of crime and punishment.
But that was before Uber Technologies’ belated disclosure of a November 2016 data breach that saw the theft of data from 57 million users, including 25 million Americans, and 600,000 U.S. driver-license numbers. In an apparent ploy to avoid disclosing the theft, Uber chose to instead pay a $100,000 ransom to the two hackers under the auspices of a bug-bounty program it first enacted earlier that year.
The breach was not disclosed to consumers or law enforcement until November 2017, one year after the incident and several months after new management had taken over at Uber. Several states have opened investigations into whether the lack of disclosure violated state data-breach-notification laws, but the federal role in the controversy has so far been unclear.
Now the Senate is looking to change that. Sen. Jerry Moran, the chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, convened a hearing on Tuesday to discuss ways to prevent the hijacking of bug-bounty programs for nefarious purposes. And all options—from federal breach-notification requirements to hard limits on bug-bounty pricing and the preemption of a patchwork of state notification laws—appear to be on the table.
In the ride-sharing company’s first public admission of fault, John Flynn, Uber’s new information-security officer, told the Senate panel there was “no justification” for his company’s behavior. “We recognize that the bug-bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” Flynn said.
Flynn added that the actual theft of data distinguished this case from a typical bug bounty, in which hackers would merely identify a vulnerability without subsequently exploiting it.
Those in the bug-bounty industry, however, worry that the damage has already been done. Casey Ellis, the founder and chief technology officer of Bugcrowd, said the Uber incident has reawakened mutual suspicions between tech companies and hackers.
“This concept of, ‘Well, are bug bounties basically just extortion that happens on a more controlled level? Is this essentially money laundering, like hush money for hackers?’—it’s almost like the mud in the water started to settle, and this whole thing has stirred that mud back up,” Ellis said. “So that’s the part that I’ve found really frustrating.”
Ellis cautioned lawmakers against a knee-jerk reaction, warning that new rules could prove “onerously restrictive on the benefits of interacting with the hacker community, whilst sort of ignoring the fact that the bad guys don’t read the law.”
But Moran all but promised legislation to prevent another incident of extortion masquerading as a bug-bounty payout. “There is a lot of interest in legislation, [and] there has been for a while,” Moran told reporters after the hearing.
Democratic Sens. Bill Nelson and Richard Blumenthal also touted their own bill, the Data Security and Breach Notification Act, as a vehicle to greater accountability. Among other provisions, their bill would empower the Federal Trade Commission to take greater steps to enforce federal bug-bounty standards.
Observers see two potential problems with bug-bounty programs as they’re currently constituted. One is the corporate confusion over whether a breach stemming from a bug-bounty program should be disclosed, and to whom.
“If lots of personal information of customers or employees is accessed, that’s going to almost certainly trigger some regulatory notification obligation,” said Avi Gesser, a cybersecurity lawyer at Davis Polk. “And you usually can’t make that go away by just dealing with the person who hacked you—even if you don’t call it a hack.”
Uber’s Flynn seemed eager to admit his company’s mistake in failing to notify consumers and law enforcement. He pledged to work with lawmakers to create new notification requirements and supported the preemption of a “patchwork” of state notification laws with a federal framework.
The other issue relates to the often flexible pricing of bug bounties. Reports indicate that Uber initially sought to pay the hackers the standard $10,000 bug-bounty fee for their find, only to have that offer rebuffed in favor of a $100,000 payment. Experts say that type of haggling isn’t unusual in the bug-bounty world—but it can be destructive.
“Why would a hacker turn in a bug and follow the rules for $10,000 when the term ‘bug bounty’ has been muddied to include downloading 57 million records and getting paid $100,000 for that data theft?” asked Katie Moussouris, the chief executive of Luta Security, who testified on Tuesday. “I think that is a line that should be very, very clear that bounties should not be negotiable in that way.”
But Flynn seemed less eager to support a hard price cap on bug bounties. The Uber executive deflected when Sen. Blumenthal asked him if he’d support nonnegotiable and clearly defined terms for any vulnerability brought to his company’s attention, instead saying it’s important for companies to have procedures in place after the fact.
Moran couldn’t say when bug-bounty legislation is coming down the pike. But he hinted that it could be wrapped in a broader data-security bill, and would almost certainly include new breach-notification requirements for bug bounties gone wrong.
“I think there is a role for the law to play in finding the right parameters for this activity,” he told reporters after the hearing.