Uber to update 'bug bounty' policies after 2016 data breach: executive

By Dustin Volz SAN FRANCISCO (Reuters) - Uber on Thursday plans to announce changes to how it rewards cyber researchers who report flaws in its software, a company executive told Reuters, as part of the ride-hailing firm's response to concerns raised about the way it handled a data breach in 2016. Among the changes to Uber Technologies Inc's [UBER.UL] so-called bug bounty program are new terms that more clearly define what Uber does and does not consider "good faith" vulnerability research, John Flynn, the company's chief information security officer, said in an interview. "We're clarifying the difference between researchers that act in good faith and people who don't," Flynn said. "We're doing a better job about being explicit about what those things are, because it's important these programs have high integrity." Uber will also update its policies to specifically state that it will not pursue or recommend legal action against good-faith hackers who submit flaws through its "bug bounty" portal. It will provide support to those who may face litigation from others as a result of a bug submission. The changes are the first made to Uber's bug bounty platform since the company revealed last November the 2016 data breach of 57 million user credentials, including names, phone numbers and email addresses. Reuters reported in December that a 20-year-old man was primarily behind the breach, and that he was paid by Uber to destroy the data through the bounty platform after receiving an email from anonymous person demanding money in exchange for user data. The large size of the payment and Uber's use of the bounty system led some security researchers to criticize the company and suggest it had sought to conceal a criminal breach. "An unfortunate reaction to all this was the doubt cast by some people on whether companies should run bug bounty programs at all," Flynn said. Uber apologized for how it handled the breach months after new Chief Executive Dara Khosrowshahi was installed following founder Travis Kalanick's ouster. The company fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark. As part of the changes, Uber will test an option allowing researchers to donate their bounties to charity, which the company will match. The company will also update its submission form to include a question that asks whether personal consumer information may be exposed through the discovered flaw. Flynn said the added question is intended to more quickly trigger review internally as to whether regulators may need to be notified, a change intended to avoid repeating mistakes made during its response to the 2016 breach. A European data privacy law taking effect next month will require companies to disclose within 72 hours whether user data has been compromised. Marten Mickos, the chief executive of HackerOne, which hosts Uber's bug bounty program and provided input on its updates, welcomed the changes but said they alone would not guarantee Uber would avoid its previous mistakes. "It's not the main thing that was missing in 2016," said HackerOne Chief Executive Marten Mickos. "The main failure in 2016 was not notifying the authorities." (Reporting by Dustin Volz; editing by Grant McCool)