> That's right, the response contained Facebook's /etc/passwd. Now we were going somewhere. By then I knew I had found the keys to the kingdom. After all, having the ability to read (almost) any file and open arbitrary network connections through the point of view of the Facebook server, and which doesn't go through any kind of proxy was surely something Facebook wanted to avoid at any cost. But I wanted more. I wanted to escalate this to a full Remote Execution.
> A lot of bug bounty programs around the web have a rule that I think is very sensible: whenever you find a bug, don't linger on messing around. Report the bug right away and the security team will consider the worst case scenario and pay accordingly. However, I didn't have much experience with the security team at Facebook and didn't know if they would consider my bug as a Remote Code Execution or not. I Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed. I figured that would be ok because most bugs take a long time to be processed, and so I had plenty of time to try to escalate to an RCE while still keeping the nice imaginary white hat I have on my head. So after writing the bug report I decided to go out and have lunch, and the plan was to continue working when I came back.
That's the difference between paying a ransom and a bounty.
The hacker definitely downloaded files, but Uber also asked him to download production data to confirm the hack (um, what?) Uber escalated the payout; the hack wasn't particularly interesting, but it was substantial, so who knows there. The hacker's communication was dodgy, but he eventually met in person, and the fact he didn't want to leave his house indicates a possible social disorder.
Their handling was poor, but this may just be a case of "hating uber because they're uber".
"Oh yeah? Then fucking do it then", seems fairly Uber.
So no, this was not disqualifying and he was told to do so. This is not extortion, just pay negotiations.
BB’s are complicated and can be messy. You never know what the behavior of the participant will be after the award. Someone had to fight for approval of this payout at significant career risk for themselves. If we broadly assume bad faith on the reporter or on the recipients, we’ll lose the protection that bb’s can provide and white hats will be more at risk of CFAA prosecution. We need to be more willing to make mistakes when it comes to these situations.
I think that, in this case, it is more likely that someone was told, or felt it to be the case, that their career or options were at risk unless they could come up with some sort of cover so that Uber could claim it did not have to disclose the leak.
There is a simple test for whether someone is seeking a bug bonus, or to extort you: if someone says he has a way to get your data and would you care to know how, its a BB case, but if they say they have your data, give us some money to say we deleted all copies of it, that's extortion.
Total bounties paid
Highly doubt 100k is included in there.
Sadly this is a core part of discourse in the Bay Area and American society at this point, which I believe contributes to people’s inability to connect well and develop shared empathy.
Keep in mind this article was written by Mike Isaac who has been a thorn in the side of Uber all throughout 2017. I highly, highly doubt after all the anti-Uber articles he's written that he's an Uber schill, someone who is pro-Uber, or someone who would just blindly believe whatever Uber PR told him.
The tone is distinctively even-tempered, which leads me to believe that maybe it should be taken at face value and it wasn't a coverup at all.
I accept that this may be too conspiracy-theoretical.
But you are free to believe whatever you want.
If you had read my previous post with more care, you would have noticed that I am tending towards agreeing with you, though with reservations.
Here's a book from an ex FBI hostage negotiator. It narrates some real case stories from the inside, it's well written and quite interesting. https://www.amazon.co.uk/Stalling-Time-Life-Hostage-Negotiat...
So “outcomes are worse if you don’t” is not relevant. Several times as many terrorism incidents with better outcomes on average is not what most people would consider effective anti-terrorism.
Details of "hundreds, potentially thousands" of vulnerable people, including children, have been emailed to taxi firms by a council.
Just for one example from the headlines.
The digital version of kidnapping would be the hackers who stole Netflix shows and tried to random the money from them.