Most of all, the hacking and Uber’s response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law.
Uber is illustrative of a breed of company that aimed to bulletproof its security. While many corporations were for years blissfully unaware of hackers penetrating their systems, Uber and others recruited former law enforcement and intelligence analysts and installed layers of technical defenses and password security. They joined other companies in embracing the same hackers they once treated as criminals, shelling out bug bounties as high as $200,000 to report flaws.
Yet since the fallout from Uber’s disclosure, Silicon Valley companies have taken a harder look at their bounty programs. At least three have put their programs under review, according to two consultants who have confidential relationships with those companies, which they declined to name. Others said criminal prosecutions for not reporting John Doughs would deter ethical hackers who would otherwise come forward, causing even more security breaches.
“Anything that causes organizations to take a step backwards and not welcome contributions from the security community will have a negative impact on all of us,” said Alex Rice, a co-founder of HackerOne, a security company whose business is to work with customers, including Uber, to manage interactions with and payments to hackers.
The situation is complicated by Uber’s track record for pushing boundaries, which put it under scrutiny last year and helped spur the resignation of Travis Kalanick, its longtime chief executive, in June. Mr. Khosrowshahi has since vowed to change the way the company conducts itself.
This account of Uber’s hacking and the company’s response was based on more than a dozen interviews with people who dealt with the incident, many of whom declined to be identified because of the confidentiality of their exchanges. Many are current or former members of Uber’s security team, who defended their actions as a prime example of how executives should respond to security problems. The New York Times also obtained more than two dozen…