According to Marten Mickos, the CEO for HackerOne, in all cases when a bug bounty award is processed through HackerOne, the company receives identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made.
Reuters has now revealed that Uber made the payment previous year through a programme created to give security researchers an incentive to report weaknesses they uncover in a company's software.
The ride-hailing app paid the man, whose identity is still unknown, and an anonymous accomplice to delete the data through a "bug bounty" programme, according to Reuters.
In a related development, it has now been found that the hacker acting behind this breach is a 20-year-old man from Floria. Sources familiar with the hack have told Reuters that the payment was made through a program created to reward bug hunters who report flaws.
The hacker further paid a second person who offered his services in accessing GitHub to obtain credentials for accessing Uber's data.
Under the terms of the deal, the unnamed man had to sign a nondisclosure agreement, agree not to compromise Uber again, and the company also conducted a forensic examination of his machine to make sure the data had been purged.
Katie Moussouris, a former HackerOne executive, told Reuters that Uber's payout and silence at the time was extraordinary under such a program. New CEO Dara Khosrowshahi said in November that Uber was wrong in covering it up, and said "We are changing the way we do business". Uber spokesman Matt Kallman declined to comment on the matter.
Then-chief executive Travis Kalanick and chief security officer Joe Sullivan made the decision to pay the hackers and keep the breach a secret from its customers and drivers. Rewards for identifying bugs in code are more normally in the range of $5,000 - $10,000. HackerOne's CEO said that he couldn't discuss an individual customer's programs. They're a company that connected security researcher with other companies.
Remember the unidentified man that was paid $100,000 to delete Uber's stolen data?