April 27, 2018 09:50 pm
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/--iwsM5Zz2o/uber-tightens-bug-bounty-extortion-policies-following-2016-data-breach
Uber Tightens Bug Bounty Extortion Policies Following 2016 Data Breach
lod123 shares a report from Threatpost: Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion. With the updates, Uber's HackerOne bug bounty policies more thoroughly outline "good-faith vulnerability research and disclosure," and contain language defining what constitutes unacceptable behavior, stating that the company wants researchers "to hunt for bugs, not user data." One newly outlined policy makes it clear that Uber won't take legal action against researchers -- as long as they report vulnerabilities with no strings attached. "You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached," the policy said. Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report.Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/--iwsM5Zz2o/uber-tightens-bug-bounty-extortion-policies-following-2016-data-breach
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot