A hundred grand for a few weeks or a month of work is way, way above that level. This is a jackpot, not a reward. Whether Uber threw out the number or the guy demanded probably won't ever be known, but I know where I'd put my bet.
For comparison, Apple's bug bounty program says they'll pay $100k for a hack to extract data from the secure enclave.
(Bug bounty programs are often probably underpaying compared to what something would be worth on the black market, but clean money is worth lots more than dirty money with a prison risk)
1. Vulnerabilities in the individual websites of specific companies have typically little to no salable value on a “open market”, black or otherwise.
2. People who manage bug bounty programs know this, and those programs are not designed to compete with a shadowy underworld. They’re just an incentive for reporting security vulnerabilities.
3. Apple’s security vulnerabilities actually do compete with a market for the sale of exploits, but this is because vulnerabilities in iOS or macOS represent vulnerabilities in deployed operating systems and software for which they are not the sole arbiter of an update decision.
> Bug bounty programs are often probably underpaying compared to what something would be worth on the black market, but clean money is worth lots more than dirty money with a prison risk
I say the following as someone who has: 1) managed a bug bounty internally as a security engineer, 2) managed bug hounties as a consultant for various tech companies of various sizes, 3) reported security vulnerabilities in bounty programs for companies you’ve heard of, 4) spoken professionally with engineers at tiny, small, medium and large companies running programs and 5) sold vulnerabilities for various reasons:
Bug bounty programs are emphatically not underpaying relative to a black market. Black market exchanges exist for vulnerabilities which impact operating systems, widely used open source software and languages. A key component of the value of a vulnerability is its half-life - that is to say, how long it can be expected to be useful. A vulnerability in Ubuntu has a half-life of years, perhaps decades. A vulnerability in Uber’s web applications has a half-life of one week. In 15 years, you will reliably find servers on the internet chugging along with a horribly misconfigured, vulnerable version of Windows or Debian and an open service written in Python 2.7. In contrast, Uber’s web applications will scarcely look the same in 15 years, and the company can deploy a hotfix to the entire landscape of the vulnerability (their centralized servers) in 24 hours.
Can you conconct a scenario in which a hypothetical sabateur manages to weaponize and capitalize on an exploit in Facebook Ads Manager, or some random Uber server with sensitive data, within a week? Sure, but it’s contrived. The risk/reward ratio just isn’t really there.
I’ve continually crusaded against what you’re claiming on HN for literally years now. It’s simply not true. I don’t mean to be harsh on you in particular, but the confident repetition of incorrect claims becomes frustrating.
This may apply to regular random companies, but does it really apply to very known, rich brands like Uber?
> Can you conconct a scenario in which a hypothetical sabateur manages to weaponize and capitalize on an exploit in (...) some random Uber server with sensitive data, within a week? Sure, but it’s contrived. The risk/reward ratio just isn’t really there.
This is Uber we're talking about. It's not exactly an universally loved company. I can easily imagine someone interested in profiting of extra bad press and attention caused by a data breach.
I would pay 10BTC for a recent copy of Uber user db containing at least the emails, names and phone numbers of all users.
Sure kill the credit cards who gives a fuck.
Knowing where uber users residents live, their standard time home on a friday or saturday night, whether or not they're throwing up with a chance on not remembering anything (I stole) would be fantastic. Oh, I could also sell this to anyone doing ANY datamining to easily enrich their data set.
This is 10 seconds worth of thought, do you really think the Uber data set has so little value?
No. I’m saying that a vulnerability in Uber’s software has very little value.
More precisely, I’ve sold data (and analysis thereof) to the financial sector. I’ve even sold unique data on Uber and UberEats specifically (not gained through a security vulnerability). Data and vulnerabilities are distinct products with separate buyers. Companies interested in data like this are mostly interested in it being sourced, at worst, through scraping or mining. They’re usually skittish about outright vulnerabilities, and have a sense of how likely it is data was obtained in a legally defensible manner.
On the other hand, buyers of vulnerabilities are mostly not using them for interesting dataset acquisition. They weaponize the vulnerabilities themselves instead of buying any single output from a vulnerability, and they mostly use them for developing botnets or constructing online “holes” for identity and credit card harvesting on an ongoing basis.
The point of purchasing vulnerabilities is gaining a privileged position for ongoing compromise that replenishes for a reasonably long time. No one is saying these vulnerabilities are bad; I’m specifically telling you the vulnerabilities are not generally salable, because the parties interested in them have little to no overlap with the parties interested in data. Furthermore, those two markets have separate intentions, processes and risk/reward ratios.
A dataset and a vulnerability that can lead to a dataset are simply not comparable. I believe someone would probably be willing to purchase this particular data, but I do not believe you could weaponize this data on an open market with any regularity, and bug bounty programs would not take this into account when calibrating their payouts.
Finding an organization willing to buy a legally sourced, unique dataset is comparatively easy. So is finding an organization willing to buy a vulnerability that can be weaponized towards a significant number of servers on the internet. But finding an organization willing to buy a vulnerability just for its data value, or an organization willing to use illegally sourced data, is hard. Not impossible, but rarer than either of the other two examples. There is not a regular market for it.
To take your FB Ad Manager example...just recently there was bug that allowed people to start campaigns for free (by somehow charging the bill to unrelated accounts). A bug like that has a small half-life but if it lets someone use up a million dollars in targetted ads over one weekend for free I would think you could still get quite a bit for it on a black market.
But instead of taking that argument I’m going to say this: I have been heavily involved in bug bounty programs during my career thus far and I’ve sold data to hedge funds for companies like Uber (not using security vulnerabilities, however). In fact, I have specifically used unique, originally sourced and curated UberEats data to forecast GrubHub’s revenue and market share over time. I’ve even managed bug bounties for several companies and participated in them. I’ve had people threaten me with taking a vulnerability public in the hopes of receiving a payout, etc, etc.
I’m harping on all of this because vulnerabilities and data are very different products, and have very different markets. A vulnerability is salable to a black market under specific conditions; the people interested in acquiring unique data are, to a first approximation, none of the people interested in buying a vulnerability. One of these markets is interested in illegally generated, extremely high profit on an ongoing basis which they can mostly control end to end. The other market is very risk-averse, and is interested in profitable analysis of the data.
You could certainly find some counter-party willing to buy this kind of data eventually, but it would not be a traditional blackhat organization, and it would not be a routine regularity as it is with vulnerability exchanges. Further, bug bounty programs still would not calibrate their prices based on this, because it would be rarer than vulnerabilty sales.
"Just throw money at it" seems to be a more integral strategy of their corporate playbook than most companies.
To a first approximation, no bug bounty for web application or mobile application software competes with any black market. In fact there is no black market for those vulnerabilities. These vulnerabilities exist in a centralized system, and therefore have virtually no half-life, which means little to no value. They’re not salable.
Much to the chagrin of people who speculate one way or another about bug bounty payouts on message boards like this one, bug bounty programs do not calibrate their program payouts to compete with a real or perceived black market.
The reason for this is obvious: bug reports have value to a company, but dumps of their own internal data do not. The only buyers of vulnerabilities on a white hat market are the companies who are victims of the vulnerabilities. The bug reports are valuable to those companies because it allows them to patch previously unknown vulnerabilities. But data breaches are not valuable to them in the same way. Why would they pay you for their own data that they already have? It’s not analogous to buying vulnerabilities, because the company gains nothing new.
Therefore the argument that the stolen data would be worth more on the black market than the white market is a moot point, because there is no white market for stolen data. If you’ve stolen data, you’ve overstepped the bounds of any reasonable bug bounty program, at a greatly increased risk of prosecution. Your options are to 1) stop and do nothing, 2) sell the data on the black market, 3) attempt to responsibly disclose the breach, knowing you are in a vulnerable legal position having downloaded the data, or 4) extort the company.
(Notice that “sell the data on a white hat market” is not an option.)
What we do not know in this case is if the hacker chose #3 or #4. It seems like he used social engineering to get the GitHub credentials, which would normally fall out of bounds for bug bounty programs (never mind the data breach itself). That seems to support the speculative conclusion that the hacker went into this with malicious intent. So does the fact that he resorted to hackerone seemingly post-facto, as the article mentions, so Uber could “verify his identity.” But perhaps he was just naive. We don’t know.
I second what others have said. The fact that this is Uber makes me inclined to believe they initiated the offer of $100k.
Such reward schemes are set up as a sort of competition, or bet. You invest time not knowing if you will find anything worthy of a reward. If you expect to have a 10% chance of finding a vulnerability, the reward needs to be 10x the value of the work for it to a worthwhile use of your time.