Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In a bug bounty program, you agree to the terms before participating and in particular those terms include not exfiltrating data.

These hackers were not participants in the bugbounty program, and extorted money from Uber. They were not in anyway "consultants", even retroactively.

But that's not the issue at hand here, the issue at hand is the cover-up while Uber was being investigated about a similar breach.

It is also curious that HackerOne was the middleman here. I do wonder how much they knew of what was going on.



>those terms include not exfiltrating data

Is there a way to determine that your credentials are sufficient to download an S3 object without actually downloading it?

How would you know whether you'd found an information disclosure vulnerability without peeking at the information?


Bounty programs explicitly tell you to only to target accounts that belong to you.

Outside of that, if you're "peeking" at information that doesn't belong to you, you immediately stop, document, and submit the report. You do not download 14,000 files as the Uber hackers did.

This is a non-trivial amount of nuance that clearly shows the hackers were not acting in good faith.


I can see it - a trusted 'intermediary' who has trust and expertise to both clients.


Yes and no. The indictment explicitly mentions the hackers got paid through HackerOne but didn't have a HackerOne account. HackerOne manually sending a payout so large manually via Bitcoin no less is strange to say the least.

https://www.hackerone.com/resources/reporting/the-2020-hacke... says they paid out $40mil in 2019 and undoubtedly would have been much smaller in 2016. This would have been a whale for them and their cut.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: