At a hearing yesterday on its 2016 breach response, Uber Chief Information Security Officer John Flynn told the U.S. Senate Committee On Commerce, Science, and Transportation that its handling of the incident was wrong and that's "not the way we're going to do these things moving forward." Flynn was specifically referring to the fact that the company didn't publicly disclose the breach — which exposed the information of 57 million riders and drivers — until late 2017 and paid the hackers who infiltrated the company's systems $100,000 for their discretion on the matter, an action Sen. Richard Blumenthal, D-Conn., called "morally wrong and legally reprehensible." 

The hearing did not focus on what Uber did wrong; Flynn acknowledged from the start that it misstepped. It focused instead on the merits of bug-bounty programs in general and what kinds of parameters companies should or shouldn't set to ensure the kind of extortion Uber faced doesn't become an industry norm. 

Flynn was not alone among co-panelists in his assertion that bug-bounty programs are critical to detecting and fixing information-security vulnerabilities. Katie Moussouris, CEO of Luta Security, and Marten Mickos, CEO of HackerOne, which operates bug bounty programs and worked with Uber during its breach, both testified on the importance of such programs to protecting consumers and a healthy global economy. 

At Uber, its bug bounty program has assisted in detecting more than 800 vulnerabilities, and the company has paid out about $1.3 million in rewards, which Flynn called a modest cost for the benefit reaped. 

But the "2016 data-security incident unfolded in a way that's entirely different from a typical bug bounty," Flynn testified. On Nov. 14, an anonymous source emailed Uber's security team claiming it had access to Uber data and demanding money. Uber first validated the claims and locked down the point-of-entry within 24 hours, Flynn said. It then conducted forensics to determine there had been two intruders, ensured the data had been destroyed and then paid the $100,000 via HackerOne. 

"Our primary goal in paying the intruders was to protect our customers' data; however, this was not done consistently with the way our bug bounty program normally operates," Flynn said. "In my view, the key distinction regarding this incident is the intruders not only found a weakness but also exploited that vulnerability in a malicious fashion to access and download data and made extortionist demands." 

The mistake, Flynn added, was allowing the hackers to extort the company as well as not including enough legal representatives in the decision-making room to determine whether the breach triggered breach notification. 

While bug-bounty programs are essential and widely used, Moussouris agreed, companies and governments using them should be mindful that what's emerging is a perverse reality, in which it's becoming more lucrative to be a bug-bounty hunter than it is to be a developer working to avoid vulnerabilities in the first place. 

"We do have to be mindful of this market and make sure we're not ... over-rewarding," she said. "There should not actually be a direct correlation between resulting potential harm and defensive market price. It is much more a token of appreciation." 

She said payments, which Mickos said range from $500 to $250,000, depending on the severity of the vulnerability, should be set at an appropriate level so that the interest and creativity of the hacker community is piqued, "but not setting them so high ... that you're creating this much more lucrative business" than the business of information security itself. That is, there could be an incentive for developers to in fact collude with bug-bounty hunters to create a vulnerability, only to cash in, together, on the prize waiting on the other side.

Bounty values should not be negotiable, Moussouris said, and they aren't a replacement for in-house due diligence. Companies can't sit back and pay bounty hunters, a growing industry, to save on the costs and time required to create and maintain safe systems.

Blumenthal wanted to know from Flynn if there are now at Uber clear limits, "parameters for nonnegotiable and clearly defined  policy on how much you will pay?" 

Flynn said that's something the company is working to figure out. 

More broadly, both Moussouris and Mickos called for updates to the Computer Fraud and Abuse Act to ensure that those acting in good faith to expose vulnerabilities can't be prosecuted under the law. Blumenthal, in addition, called for increased powers for the Federal Trade Commission to go after bad actors and for a baseline federal privacy legislation to bolster consumer protections. 

 The hearing was live-streamed and its archive can be accessed here, as can written witness testimonies.