Uber has announced a suite of changes to how it will reward researchers who discover flaws in its security systems.
To start, the company says it will update the terms of its ‘bug bounty’ program to clearly define what the company does and does not consider “good faith” vulnerability research, particularly in the context of privacy and ethics.
Uber is also updating its policies to state that it will not pursue or recommend legal action against good-faith hackers who submit flaws through the bug bounty program. The company also says it will offer support to any of these good-faith hackers who face litigation from other companies as a result of their Uber bug submissions.
Further, the bug submission form will be updated to ask whether personal consumer information may be exposed through the discovered flaw.
Finally, Uber says it will test an option that allows researchers to donate their bounties to charity, with proceeds matched by the company.
The revision of the bug bounty policies come as part of a larger effort from Uber to address concerns over how it handled a data breach in 2016.
In November 2017, it was revealed that an October 2016 cyberattack accessed the personal information of over 50 million Uber customers, including names, phone numbers and email addresses. Former Uber CEO Travis Kalanick became aware of the incident one month later and paid $100,000 USD for the hackers to delete the data, while no Uber customers were informed of the breach.
Via: Reuters
