Today, the Department of Justice issued a release disclosing the charges of Former Uber CISO Joseph Sullivan. The charges result from Sullivan’s attempt to cover up paying out a ransom, requested by malicious hackers after obtaining access to and downloading Uber’s database containing personally identifying information associated with approximately 57 million Uber users and drivers, in the form of a bug bounty program.
Today\’s rather escalates the ethical considerations around how Uber responded to its 2016 breach into very real legal ones. What took place in 2016 was clearly extortion, not a bug bounty payment. In a bug bounty program, the terms of engagement – including payment – are set before any sort of hacking takes place. This alignment on all sides facilitates interactions between businesses and the researcher community for safe and effective security testing, and minimizes potential for misunderstanding. In extortion, it\’s the other way around, and the threat of data exposure puts pressure on payment.
Unfortunately, this incident has also negatively influenced the public’s perception of the hacker community, and of bug bounties in general. Historically, hackers were strictly viewed as malevolent, but the industry\’s understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community. In fact, there’s a global community of ethical hackers who operate above board and in good faith, and are committed to helping organizations improve their security posture.
Although Uber’s original issue was clearly on the side of bad faith, it has highlighted how blurry the line is between hacking that crosses legal lines into dark territory, and the kind of hacking which can be helpful. As leaders within the cybersecurity space, we have a moral obligation to support the next generation of Internet defenders as they advance the ethical hacker community forward. We must band together to fight the masses of bad actors by empowering the hackers that operate with integrity, and protecting them and their work.
I highly advise other industry leaders to consider the value of the ethical security researcher community. As the Internet plays an instrumental role in both our daily work and personal lives, this community of cyber defenders around the world work to make the Internet a safer place for everyone.