How does a bug bounty become a bribe?

And how encryption makes the problem go away.

Photo by Crawford Jolly on Unsplash

Joe Sullivan, former CSO of Uber, is finding out the hard way. Back in 2017, he issued a $100,000 bug bounty in Bitcoins to a hacker that was able to dump a database. Sullivan required them to sign NDA, which was also odd. He failed to report it to the FTC (which was investigating a similar 2014 data branch).

It not only looked suspicious but brought felony charges on August 19, 2020, for obstruction of justice and concealing a felony. Hacking is a federal crime, and not-reporting it is a crime.

But there is a fair question under all this, what is the difference between a bug-bounty and a bribe? Well, a bug-bounty is a payment for services rendered. No concealment is necessary, and in the end, no harm done. The white-hack hackers that provide these valuable services could go black-hat with precisely the same skills but chose to lead an open and legitimate life. Bounties for a single bug tend to range from a few thousand dollars to $10,000.

Then there all the secrecy around what the bug warranted, data branch. Dumping a database of 600,000 drivers and 57 million passengers, that’s a big deal. Something that today, CCPA would come crashing down on you and potentially end the company. But back in 2018, data branches were not illegal, but hiding it, covering up the breach when you’re under investigation, and then coughing up $100,000 worth of bitcoin hush money, extra shady.

The deception ended when Uber CEO Kalanick resigned after a string of toxic work environment scandals. At first, Joe lied to the new CEO, Khosrowshahi, but it was finally disclosed to the FTC in 2017, over a year after CSO Joe Sullivan had learned of it. Of course, Uber settled the lawsuits brought by all 50 states and DC, for the breach, to the tune of 148 million dollars. Just for the record, the CSO is supposed to protect the company from this sort of thing, not hide it and then run away, which was what he did, running off to become the CSO of Cloudflare in 2018.

Well. Long before the breach, there was an engineer tasked with building a new service. That service needed a database. Uber was a startup way back then, so time-to-market was paramount. Security groups didn’t matter. VPN’s didn’t help deliver to the market faster.

Don’t even get me started on encrypting sensitive data in the application layer. Back in 2013, E2E-Encryption was tough to get right, expensive to build, and delayed your time-to-market. Today, Peacemakr publishes open-source SDKs that solve all the hard problems you have to solve to get encryption correct.

Had full E2E-Encryption been integrated, the database leaks would have been very manageable for Uber, almost certainly not pushed Joe Sullivan to cover them up, and not exposed the personal information of millions of drivers and customers.

In a world where the easy thing and the right thing are the same thing, there are no more excuses for data loss.

15+ Years experience leading security, Ex-Apple, Ex-Pure Storage, Ex-Symphony Communications, Co-Founder and CEO of Peacemakr, Lives in San Francisco.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store