Inside Uber’s $100,000 Payment to a Hacker, and the Fallout<br />After Mr. Fletcher wrote that the company’s maximum bounty was $10,000, Preacher said he and his team would only accept “six digits.”<br />Mr. Fletcher said he would need to seek authorization for a $100,000 payment,<br />and would need Preacher’s reassurances that he would delete the data he had downloaded.<br />SAN FRANCISCO — “Hello Joe,” read the November 2016 email from someone identifying<br />himself as “John Doughs.” “I have found a major vulnerability in Uber.”<br />The email appeared to be no different from other messages<br />that Joe Sullivan, Uber’s chief security officer, and his team routinely received through the company’s “bug bounty” program, which pays hackers for reporting holes in the ride-hailing service’s systems, according to current and former Uber security employees.<br />This would’ve heart the company a lot more than you think.”<br />Other emails obtained by The Times show Mr. Fletcher treated the incident as a bounty<br />and encouraged Preacher to provide proof of the vulnerability, including sending a few lines of data from the database he had breached.<br />Mr. Fletcher drew further details about the hacker out through emails, including tidbits about his identity, his internet hosting provider, the location of his computer and proof<br />that he deleted his copy of Uber’s downloaded data by looking at a virtual copy of his system provided by his host.<br />“It’s very disappointing to be finding this vulnerability in such way,” the hacker<br />wrote in an email to Rob Fletcher, Uber’s product security engineering manager.
