October 12, 2023 at 09:59AM
Former Uber CISO Joseph Sullivan’s lawyers have argued in an appeal that his conviction for charges related to a 2016 data breach should not stand as it threatens bug bounty programs. They describe the verdict as “profoundly flawed” and claim that it jeopardizes the valuable tool used by security teams across industries. Sullivan was found guilty of obstructing justice and misprision of a felony and sentenced to probation, community service, and a fine. His lawyers argue that he was made a scapegoat for broader security failures and that the bug bounty program he utilized effectively resolved the incident.
Meeting Notes:
– Former Uber CISO Joseph Sullivan’s lawyers argue that his conviction related to a 2016 data breach should not stand because it threatens the use of bug bounty programs in organizations.
– Sullivan’s legal team believes that the verdict was based on flawed theories about his responsibilities at Uber and that he was simply doing his job to protect the data of Uber drivers.
– The conviction included charges of obstructing justice and misprision of a felony in connection with the 2016 breach and attempts to conceal it from the Federal Trade Commission (FTC).
– Sullivan’s lawyers argue that the payment made to the hackers was a bug bounty and that he had the knowledge and approval of Uber’s CEO and legal team.
– The judge sentenced Sullivan to three years of probation, 200 hours of community service, and a $50,000 fine.
– Many in the industry see Sullivan’s case as an example of CISOs being scapegoats for broader security failures at companies.
– Sullivan’s lawyers have appealed the conviction, arguing that it criminalizes bug bounty programs and fails to consider their effectiveness in mitigating security risks.
– The government’s response to the appeal is due by November 9, and oral arguments are projected to begin in the spring of 2024.
Key Points:
– Sullivan’s lawyers argue that the conviction threatens the use of bug bounty programs, which are important for security teams in all industries.
– The defense claims that Sullivan was simply doing his job as a CISO and used common tools and strategies to protect Uber’s data.
– The appeal challenges the characterization of the payment as a hush money payment and highlights the effectiveness of the bug bounty program in resolving the incident.
– The defense also raises concerns about holding individuals criminally liable for organizational decisions and emphasizes the importance of bug bounty programs in uncertain legal frameworks.
Action Items:
– Monitor the progress of Sullivan’s appeal and upcoming oral arguments.
– Stay updated on the government’s response to the appeal.
– Assess the potential impact of the appeal outcome on bug bounty programs and security strategies in the organization.