Lawmakers probe bug bounty payouts

A 2016 payout to hackers put Uber in the crosshairs of a Senate panel investigating the practices of companies using "bug bounties" to encourage researchers to identify and report security flaws.

Uber's Chief Information Security Officer John Flynn was in the spotlight for much of the hearing, inundated with questions about the ride-hailing app company's failure to notify drivers of a breach in 2016 and use of its bug bounty program to pay ransom to hackers for stolen data.

"We strongly support a unified, national approach to data security and breach standards," Flynn said in his testimony, adding in the question-and-answer session that patchwork state breach notification laws "are a challenge for all companies and defenders to contend with."

But legal and regulatory challenges also confront companies looking to harness the expertise of the security community.

HackerOne CEO Marten Mickos called on Congress to reform the Computer Fraud and Abuse Act, which criminalizes unauthorized computer access without making specific allowances for some security research activities.

"Individuals that act in good faith to identify and report potential vulnerabilities should not be legally exposed," said Mickos, who criticized the CFAA for having "vague wording that has not kept pace with the proliferation of the internet."

The Justice Department is at work on guidance to allow for the CFAA to take security research into account.

Mickos also encouraged senators to remove the CFAA's criminal penalties for actions that don't harm consumers, such as white-hat hacking or vulnerability research.

Flynn admitted Uber "made a misstep" in not reporting the breach to customers, employees  and law enforcement. He also used his testimony to advocate for a national breach notification standard.

But bug bounty programs' high-dollar rewards drew the most scrutiny during the hearing, as senators worried about incentivizing malicious hackers to find vulnerabilities and exploit them for economic gain.

"There's a difference between a security consultant who says, about your home, 'You have this vulnerability to forced entry,' and the criminal who says, 'You have this vulnerability to force entry, and I have your child: pay me $100,000,'" Sen. Richard Blumenthal (D-Conn.) said to Flynn about Uber. "So concealing it in my view is aiding and abetting that crime."

Bugcrowd founder Casey Ellis said in an emailed statement that Uber's response "was not a bug bounty payout."

"This was extortion," he said. "Bug bounty programs operate in a controlled environment with secure communication on all ends to facilitate interactions between businesses and the researcher community for safe and effective security testing."

Mickos named Hack the Pentagon as an example of success, where the Defense Department paid $150,000 in bounties for 138 vulnerabilities during its two-month pilot program, which could have cost upwards of $1 million in cybersecurity firm contracts. Mikos added that HackerOne, which worked as a contractor on Uber's bounty program, only pays bounties after verifying with the contracted company that the bug find was legitimate.

Flynn said Uber was wrong and its behavior was inconsistent with how the bug bounty program should work, adding that and the "multistep malicious intrusion" bore a valuable lesson: any organization with a bounty bug program needs a contingency plan for data extortion attempts.

But the problem with bounty programs could be in the reward itself rather than an organization's policy.

Luta Security's CEO Katie Moussouris warned that bounties should have limits because it is more lucrative to be a security researcher than a developer.

Bounties that are too high "create a perverse set of incentives where you might essentially incent some developers inside of an organization to collude with a member of the outside, to write bugs into the code," Moussouris said. "You may create an environment where it's much more lucrative to spend your time hunting for bugs than it is to develop fixes or to develop new code."

Moussouris said there's already a skew in the market "where it actually is much more lucrative to be a bug bounty hunter than it is to be developer."

According to a recent HackerOne report, software engineers can earn up to 16 times more than their standard salary worldwide by hunting for vulnerabilities, with top researchers earning nearly three times a typical salary in their home country.

Ultimately, she said, bounties are "more of a token of appreciation even if it's a six-figure payout," and that's how they should be treated.