Inside Uber’s $100,000 Payment to a Hacker, and the Fallout
by RisingWorld
2 views
Inside Uber’s $100,000 Payment to a Hacker, and the Fallout
After Mr. Fletcher wrote that the company’s maximum bounty was $10,000, Preacher said he and his team would only accept “six digits.”
Mr. Fletcher said he would need to seek authorization for a $100,000 payment,
and would need Preacher’s reassurances that he would delete the data he had downloaded.
SAN FRANCISCO — “Hello Joe,” read the November 2016 email from someone identifying
himself as “John Doughs.” “I have found a major vulnerability in Uber.”
The email appeared to be no different from other messages
that Joe Sullivan, Uber’s chief security officer, and his team routinely received through the company’s “bug bounty” program, which pays hackers for reporting holes in the ride-hailing service’s systems, according to current and former Uber security employees.
This would’ve heart the company a lot more than you think.”
Other emails obtained by The Times show Mr. Fletcher treated the incident as a bounty
and encouraged Preacher to provide proof of the vulnerability, including sending a few lines of data from the database he had breached.
Mr. Fletcher drew further details about the hacker out through emails, including tidbits about his identity, his internet hosting provider, the location of his computer and proof
that he deleted his copy of Uber’s downloaded data by looking at a virtual copy of his system provided by his host.
“It’s very disappointing to be finding this vulnerability in such way,” the hacker
wrote in an email to Rob Fletcher, Uber’s product security engineering manager.
After Mr. Fletcher wrote that the company’s maximum bounty was $10,000, Preacher said he and his team would only accept “six digits.”
Mr. Fletcher said he would need to seek authorization for a $100,000 payment,
and would need Preacher’s reassurances that he would delete the data he had downloaded.
SAN FRANCISCO — “Hello Joe,” read the November 2016 email from someone identifying
himself as “John Doughs.” “I have found a major vulnerability in Uber.”
The email appeared to be no different from other messages
that Joe Sullivan, Uber’s chief security officer, and his team routinely received through the company’s “bug bounty” program, which pays hackers for reporting holes in the ride-hailing service’s systems, according to current and former Uber security employees.
This would’ve heart the company a lot more than you think.”
Other emails obtained by The Times show Mr. Fletcher treated the incident as a bounty
and encouraged Preacher to provide proof of the vulnerability, including sending a few lines of data from the database he had breached.
Mr. Fletcher drew further details about the hacker out through emails, including tidbits about his identity, his internet hosting provider, the location of his computer and proof
that he deleted his copy of Uber’s downloaded data by looking at a virtual copy of his system provided by his host.
“It’s very disappointing to be finding this vulnerability in such way,” the hacker
wrote in an email to Rob Fletcher, Uber’s product security engineering manager.