Lawmakers probe bug bounty payouts

Shutterstock image By Pasko Maksim Stock vector ID: 591206291 

A 2016 payout to hackers put Uber in the crosshairs of a Senate panel investigating the practices of companies using "bug bounties" to encourage researchers to identify and report security flaws.

Uber's Chief Information Security Officer John Flynn was in the spotlight for much of the hearing, inundated with questions about the ride-hailing app company's failure to notify drivers of a breach in 2016 and use of its bug bounty program to pay ransom to hackers for stolen data.

"We strongly support a unified, national approach to data security and breach standards," Flynn said in his testimony, adding in the question-and-answer session that patchwork state breach notification laws "are a challenge for all companies and defenders to contend with."

But legal and regulatory challenges also confront companies looking to harness the expertise of the security community.

HackerOne CEO Marten Mickos called on Congress to reform the Computer Fraud and Abuse Act, which criminalizes unauthorized computer access without making specific allowances for some security research activities.

"Individuals that act in good faith to identify and report potential vulnerabilities should not be legally exposed," said Mickos, who criticized the CFAA for having "vague wording that has not kept pace with the proliferation of the internet."

The Justice Department is at work on guidance to allow for the CFAA to take security research into account.

Mickos also encouraged senators to remove the CFAA's criminal penalties for actions that don't harm consumers, such as white-hat hacking or vulnerability research.

Flynn admitted Uber "made a misstep" in not reporting the breach to customers, employees  and law enforcement. He also used his testimony to advocate for a national breach notification standard.

But bug bounty programs' high-dollar rewards drew the most scrutiny during the hearing, as senators worried about incentivizing malicious hackers to find vulnerabilities and exploit them for economic gain.

"There's a difference between a security consultant who says, about your home, 'You have this vulnerability to forced entry,' and the criminal who says, 'You have this vulnerability to force entry, and I have your child: pay me $100,000,'" Sen. Richard Blumenthal (D-Conn.) said to Flynn about Uber. "So concealing it in my view is aiding and abetting that crime."

Bugcrowd founder Casey Ellis said in an emailed statement that Uber's response "was not a bug bounty payout."

"This was extortion," he said. "Bug bounty programs operate in a controlled environment with secure communication on all ends to facilitate interactions between businesses and the researcher community for safe and effective security testing."

Mickos named Hack the Pentagon as an example of success, where the Defense Department paid $150,000 in bounties for 138 vulnerabilities during its two-month pilot program, which could have cost upwards of $1 million in cybersecurity firm contracts. Mikos added that HackerOne, which worked as a contractor on Uber's bounty program, only pays bounties after verifying with the contracted company that the bug find was legitimate.

Flynn said Uber was wrong and its behavior was inconsistent with how the bug bounty program should work, adding that and the "multistep malicious intrusion" bore a valuable lesson: any organization with a bounty bug program needs a contingency plan for data extortion attempts.

But the problem with bounty programs could be in the reward itself rather than an organization's policy.

Luta Security's CEO Katie Moussouris warned that bounties should have limits because it is more lucrative to be a security researcher than a developer.

Bounties that are too high "create a perverse set of incentives where you might essentially incent some developers inside of an organization to collude with a member of the outside, to write bugs into the code," Moussouris said. "You may create an environment where it's much more lucrative to spend your time hunting for bugs than it is to develop fixes or to develop new code."

Moussouris said there's already a skew in the market "where it actually is much more lucrative to be a bug bounty hunter than it is to be developer."

According to a recent HackerOne report, software engineers can earn up to 16 times more than their standard salary worldwide by hunting for vulnerabilities, with top researchers earning nearly three times a typical salary in their home country.

Ultimately, she said, bounties are "more of a token of appreciation even if it's a six-figure payout," and that's how they should be treated.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.