On October 5, 2022, a federal jury convicted Joseph Sullivan, former Chief Security Officer of Uber Technologies Inc. (“Uber”) of obstruction of proceedings of the Federal Trade Commission (“FTC”) and misprision of felony in connection with his attempted cover up of a 2016 data breach.¹
On November 14, 2016, hackers e-mailed Sullivan directly to have found a major vulnerability in Uber’s AWS system. Hackers were able to download records of more than 57 million users and 600,000 driver’s license numbers. This incident occurred amid an ongoing FTC investigation into Uber for a prior data breach in 2014. Ten days prior to learning about this latest hack, Sullivan testified under oath, and at length, to the FTC regarding Uber’s data security practices.
The hackers demanded a ransom of $100,000 from Uber and threatened to expose the personal data stolen if they weren’t paid. Instead of reporting the new breach to the FTC, Sullivan decided to cover up the incident under the guise of a bug bounty program in exchange for the hackers signing a non-disclosure agreement. Sullivan’s response demonstrated that this was not a genuine bug bounty under Uber’s terms and conditions nor industry standards. It was extortion. Sullivan tried to fit a square peg into a round hole in an attempt to prevent further public exposure.
Generally, bug bounty programs offer monetary rewards to white-hat hackers, or “researchers,” for successfully discovering and reporting a vulnerability or bug. These programs are usually done pursuant to specific guidelines with defined parameters regarding the scope, means of submitting vulnerabilities, payout scale, process for evaluating submissions, and communicating with researchers. They also include examples of activities that would not be permissible under the program. For example, finding a vulnerability is acceptable, leveraging that vulnerability to download and steal corporate data is not a permissible activity. Public bug bounty programs enable anyone to submit vulnerabilities. Private bug bounty programs require a well-defined process for participation.
A bug bounty process typically follows as after “a hacker discovers a bug, they fill out a disclosure report that details exactly what the bug is, how it impacts the application, and what level of severity it ranks. The hacker includes key steps and details to help developers replicate and validate the bug. Once the developers review and confirm the bug, the company pays the bounty to the hacker. Bug bounty programs allow companies of all sizes to leverage the hacker community to improve their systems’ security posture.” ²
Under the terms of Uber’s bug bounty program, payouts to hackers vary based on severity and range depending on a bug’s potential impact. Uber established the maximum payment at $10,000. Sullivan agreed to the hackers’ demand of $100,000, 10x the company’s pay limit, without regard to the severity of the bug.
Under the terms of Uber’s bug bounty program, Uber gave researchers permission to blog and publicize reported bugs after the bug was remediated. However, Sullivan forced the hackers to sign non-disclosure agreements barring them from publicizing the bug and communications with Uber.
Under the terms of Uber’s bug bounty program, hackers were required to disclose their identity to enable payment. However, at the time Sullivan authorized payment, the hackers’ identity had not been confirmed.
Under the terms of Uber’s bug bounty program, hackers are prohibited from dumping user data from AWS. Yet, the hackers accessed and downloaded millions of records from AWS.
Ultimately, the jury saw through Sullivan’s veiled attempt to classify extortion as a bug bounty program. Organizations can learn from the mistakes of Sullivan and Uber. Bug bounty programs are not bad; they represent a critical piece to developing and building the cybersecurity ecosystem. To limit the potential risk for companies and executive leadership, organizations should frequently audit their security practices. Those efforts may include consulting with an external cybersecurity expert on restructuring or creating cybersecurity programs for incident response.
¹ Daniel Garrie served as the cybersecurity expert witness for the U.S. Government in the Uber case. Although I did not end up testifying, I attended trial every day and reviewed all the evidence presented at trial.
David Cass, serves as President of CISOs Connect, CISO of GSR. As a Senior Partner at Law and Forensics and a former regulator for The Federal Reserve Bank of New York – Large Institution Supervision Committee, David has extensive experience in financial services, cybersecurity, risk and regulatory compliance. David has served on public and private boards, holds degrees from University of Pennsylvania, MIT and is adjunct faculty at Harvard and Rutgers Law.
Daniel Garrie, Esq. is the co-founder of Law & Forensics (Global legal engineering firm, https://www.lawandforensics.com). He holds several forensic, cryptocurrency, and cybersecurity patents. Daniel is also the co-inventor of Tabletop.ai (Enterprise Cyber Risk Platform, https://www.tabletop.ai/) and Custodytrack.io (Web 3.0/blockchain evidence management platform, https://custodytrack.io/). Mr. Garrie is also a Neutral with JAMS (https://www.jamsadr.co/garrie) and is on the Board of the Legal Cyber Academy (https://www.legalcyberacademy.com) and the Journal of Law & Cyber Warfare (https://www.jlcw.org).