Published: Thu, December 07, 2017
Money | By Armando Alvarado

Uber paid off hacker using bug bounty programme

Uber paid off hacker using bug bounty programme

But now three people familiar with the events have told Reuters that Uber used its so-called "bug bounty" program normally used to identify small code vulnerabilities, to pay off the hacker (said to be an unidentified 20-year-old man in Florida).

It is not clear who made the decision to pay the hacker and keep the breach quiet, though the different sources said that Travis Kalanick, the then-CEO had been aware of the data breach and the payment to the hacker in November of 2016.

In a related development, it has now been found that the hacker acting behind this breach is a 20-year-old man from Floria.

Two of the sources said that Uber made the payment to both confirm the attacker's identity and have him sign an NDA.

It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of past year.

Indian police arrest suspect in brutal video murder
On Thursday, somebody spotted the half-burnt body of the victim in Raigar's field on Dev heritage road and informed the police. The accused, identified as Shambhu Lal Regar, is heard warning Islamist jihadists in the video to stay away from India.

The high payment through a bug bounty programme should have raised a few alarm bells.

Security professionals have said that rewarding a hacker that stole data would be far outside normal rules of the bounty program, where payments typically are made in the range of between $5,000 and $10,000. For Uber, their bug bounty program is hosted by HackerOne.

As per the report, Uber also conducted a forensic analysis of hacker's machine to make sure that no traces of data were left behind. The hacker further paid a second person who offered his services in accessing GitHub to obtain credentials for accessing Uber's data. He did say that in every case when there is a bug bounty award it processes through them.

Mr. Khosrowshahi learned of the incident after becoming Uber's chief executive in August, and he's since terminated two employees implicated in its response, Joe Sullivan, Uber's former head of security, and a deputy, attorney Craig Clark.

"None of this should have happened, and I will not make excuses for it", Khosrowshahi, said in a blog post announcing the hack last month. They're a company that connected security researcher with other companies.

Like this: