The Uber Breach: Extortion Does Not Equal Bug Bounty

The bug bounty market is rapidly evolving, with many organizations embracing this concept despite some confusion surrounding paying hackers for vulnerabilities. A clear understanding of the distinction between bug bounty and extortion is essential, as a bug bounty is a reward offered for vulnerabilities discovered within a set scope, whereas extortion involves exploiting a vulnerability, selling information back to an organization, and then attempting to collect payment. The Uber breach, where a hacker exploited a vulnerability, was paid a ransom by Uber, which some argue is best practice, but others see as extortion. A bug bounty program should have clear guidelines, mutual respect between researchers and companies, and a trusted partner to help manage the relationship. Responsible disclosure programs shift the balance, removing uncertainty about what will happen when vulnerabilities are discovered, and having a trusted partner can create a competitive program that draws top researchers.