Uber Prosecution Shows Incident Response Is Now a Governance Risk

Joe Sullivan frames modern security leadership around two demands that are easy to endorse and difficult to practice: resilience under public pressure, and a bias toward transparency when an organization is under stress. His central example is his own prosecution after Uber’s 2016 security incident.

Sullivan has spent his career at the boundary between technology companies and government: first as a federal prosecutor in Northern California, then at eBay and PayPal, Facebook, Uber, Cloudflare, and now as an adviser to startups, boards, investors, and security leaders. Across those roles, the recurring problem has been the same. Companies wanted trust and scale but often had little incentive to expose bad news. Government wanted to understand and police the internet but often lacked the relationships, technical fluency, or regulatory precision to do it well.

At Uber, that tension became personal. In 2016, while Sullivan was head of security, researchers contacted the company saying they had found a major vulnerability and had been able to dump a database. Sullivan says he forwarded the message to the product security team that managed Uber’s bug bounty program, as he had done many times before. His team treated the matter as a security incident, documented it, involved legal and communications, took it to the CEO, paid the researchers $100,000, fixed the underlying issue, and investigated whether the data had been deleted.

Years later, Sullivan was personally charged with obstruction of justice and misprision of a felony over the company’s failure to disclose the incident to a government agency investigating Uber. His point is not merely that the prosecution was painful or, in his view, unfair. It is that security executives now operate in a world where the worst incident is no longer only the technical failure. The worst incident can also be the organizational and legal failure around how the company responds, communicates, documents, and assigns responsibility.

1. Fall 2016
   Researchers contacted Uber saying they had found a major vulnerability and dumped data from an old AWS-related database, according to Sullivan.
2. 2020
   Sullivan was charged with obstruction of justice and misprision of a felony over Uber’s failure to disclose the incident to a government agency.
3. September–October 2022
   Sullivan went to trial and was convicted after a jury instruction that Uber could not retroactively authorize the researchers’ access.
4. May 4, 2023
   At sentencing, Sullivan says the judge stated, “It wasn’t a cover-up,” and sentenced him to three years of probation and a small fine.

The Uber incident began, in Sullivan’s telling, inside the responsible-disclosure world he had helped normalize. At PayPal in 2007, he says, the company published a policy promising security researchers they would not be sued or reported to law enforcement if they reported vulnerabilities. He later brought the same concept to Facebook. When researchers began asking to be paid for useful findings, Sullivan says he initially reacted like a former prosecutor — “I got double mad” — but eventually accepted that paying researchers could improve security. Facebook launched what he describes as the third-ever bug bounty program around 2010 or 2011.

By the time he arrived at Uber in 2015, Sullivan viewed responsible disclosure and bug bounties as ordinary security practice. Uber published a responsible disclosure policy and ran a private bounty program for about a year before launching it publicly in spring 2016. In fall 2016, a message came in: “I found a major vulnerability, I was able to dump database and other things.”

Sullivan says the vulnerability involved Uber’s AWS configuration and old databases that his team did not know existed because they had been deprecated before he and much of his team arrived from Facebook. The researchers initially wanted to remain anonymous. Uber’s security team responded through the bug bounty process and handled the report as an incident: a centralized tracker, internal notes, legal involvement, communications preparation, executive approval, technical remediation, and follow-up with the researchers.

The governance record is the important part of Sullivan’s account. He says the CEO signed off on the $100,000 payment. Legal was in the loop. Communications was in the loop. Uber had written policies assigning legal responsibility for investigation and reporting. Legal, according to Sullivan, concluded that the company did not need to disclose the matter. Communications had prepared documents in case the company decided to disclose, but those were put aside.

Sullivan’s team then worked to identify the researchers and confirm the data had been deleted. He says they learned the two were a 19-year-old in Florida and a 20-year-old near Toronto who had met through a gaming community and had contacted several companies about similar vulnerabilities. One of those companies contacted the FBI. Sullivan says Uber did not know at the time that the FBI was also investigating the same people; the FBI could not find them, while Uber’s team did.

Uber’s team contacted one researcher at his real email address, not his ProtonMail address, making clear that the company had identified him. Sullivan says the message warned him that the conduct could be viewed as extortion, while also saying Uber did not think he was an extortionist and believed he should be paid. A member of Sullivan’s team — a retired CIA intelligence officer trained in interrogation — interviewed him and prepared a psychological profile. Sullivan says that interview validated that the data had been deleted and that customers were protected.

That was the end of the matter inside Uber as Sullivan understood it: the vulnerability was fixed, the researchers were paid, legal had approved the disclosure decision, and security believed the data had been deleted.

The case returned years later in a different posture. In 2020, the FBI issued a press statement saying Sullivan had been arrested. Sullivan says he had not been arrested; he was at his desk in Palo Alto on a Cloudflare Zoom call when his daughter, then moving into her dorm at the University of Texas at Austin, called after a friend heard the report on NPR. What had happened, he says, was that he had been charged.

At trial in 2022, Sullivan says an Uber lawyer testified that her team was responsible for telling the government about security incidents, that she personally knew about the 2016 incident, and that the team did not tell the government agency investigating Uber. Sullivan, not that lawyer, was the defendant.

The legal issue that turned the trial, in his account, concerned authorization under the federal computer hacking statute, 18 USC 1030. The jury asked whether Uber had the right to extend authorization after the access occurred. Sullivan says the advice he had always received from lawyers and bug bounty platforms was based on a trespass analogy: if someone steps into your yard and you invite them in, the trespass can effectively be cured. The government argued Uber could not retroactively authorize the access. The judge instructed the jury that Uber could not give permission after the fact.

Sullivan says that instruction gutted the defense. If the researchers’ access was criminal the moment it happened, then his belief that Uber had authorized and handled the matter through a legitimate bounty process did not protect him from being held accountable for obstruction. He lost the trial in October 2022.

The lesson Sullivan draws is a governance lesson more than a procedural one. Security teams can investigate and remediate; legal can own disclosure; communications can prepare messaging; a CEO can approve a course of action. But if those responsibilities are not aligned, documented, and understood before the crisis, accountability may later attach in unexpected ways.

Joe Sullivan distinguishes sharply between losing the trial in 2022 and what he calls winning the sentencing in 2023. After the conviction, he withdrew from public life again. Nonprofits that had previously wanted to work with him would no longer be associated with him. The exception was Ukraine Friends, a nonprofit supporting children affected by the war in Ukraine. Sullivan had already been helping Ukraine through his role at Cloudflare, and he says Ukrainians were willing to work with him because “they had nothing to lose” and did not care about his case.

He became CEO of Ukraine Friends and started a program called Digital Wings, built around a practical observation from technology companies: laptops pile up behind help desks as employees leave and companies avoid reissuing used machines to new hires. Sullivan began collecting cleaned-up used computers and delivering them to Ukrainian children who had lost a parent in the war. On his first trip, he carried 20 laptops donated by Robinhood’s CISO in his carry-on. He says he has since shipped thousands of computers and has learned the logistics and safety requirements around lithium-ion batteries.

That work became part of the sentencing record. Before sentencing, the federal probation office prepared what Sullivan describes as a roughly 75-page pre-sentence report reviewing his life. The government initially said it would argue for three years in federal prison. Once the probation office documented his history of volunteering for the federal government, nonprofit work, and Ukraine work, it recommended probation. Prosecutors then reduced their request to 18 months, Sullivan says.

The other factor was support from the security community. Sullivan received more than 200 letters to the judge from people who had worked with him or objected to the case. Some letters were signed by groups of 60, 50, or 40 cybersecurity professionals. He describes it as “a mass uprising of support” from people who either believed the case was unfair or wanted him able to keep doing his work.

At the sentencing hearing on May 4, 2023, Sullivan says the judge gave him the line he most wanted to hear: “It wasn’t a cover-up.” The judge, in Sullivan’s account, questioned why the CEO had not been charged if the company was being held accountable, given that the CEO had been in the loop and supported the decisions. The judge also questioned what financial incentive Sullivan would have had to hide the incident. Sullivan received three years’ probation and a small fine. He says he completed probation a week before the lecture.

The experience changed how he thinks about reputation. When asked how he rebuilt his, Sullivan said support at home came first, especially from his wife. The second source was community. The letters to the judge showed him that small acts of leadership are often remembered by team members long after the leader forgets them. People wrote about lunches, conversations, and acts of support that Sullivan did not remember but that mattered to them.

After sentencing, he began telling his side publicly. For seven years, he says, lawyers had prevented him from speaking, leaving the public narrative entirely negative. He contacted the founder of DEF CON and Black Hat and asked for a chance to explain the case. He was offered an off-the-record talk at the Black Hat CISO summit if he would also do an on-the-record talk at DEF CON. Sullivan says he was nervous enough to wonder whether he would be booed. Instead, after his Black Hat talk, he received a standing ovation from peers he describes as some of the best security leaders in the world. That gave him confidence to build his consulting business.

Startups, he says, were easier clients than large companies because they cared more about getting the best security help than about the reputational risk of association with a convicted felon. Some large companies did work with him, but preferred to keep it under NDA. Over time, he built a portfolio advising startups, working with venture firms, giving keynotes, and continuing the nonprofit work.

Joe Sullivan uses Cloudflare as the counterexample to the corporate instinct he criticizes. At many companies, he says, security teams do not control communications during an incident. Legal decides what can be said, communications polishes the message, the CEO signs off, and the disclosure process becomes cross-functional and cautious. Cloudflare, in his account, had a different reflex.

During his first security incident there, Sullivan called CEO Matthew Prince on a Friday night. Prince’s first question was: “Who’s writing the blog post?” Sullivan says his own instinct was to focus on stopping the bleeding and protecting customers first. Five minutes later, the company’s CTO joined the incident response room because Prince had assigned him to document what was happening in real time so the company could be transparent.

A year later, Cloudflare had a major outage. Sullivan says a local team in London pushed a rule to the company’s web application firewall that “basically took down half the internet.” Sullivan and the CTO called every large customer, and Cloudflare published a detailed blog report. The next day, he says, online discussion focused less on anger over the outage than praise for Cloudflare’s transparency.

For Sullivan, that is the practical proof. Transparency does not eliminate the incident. It changes whether customers, regulators, and the public believe the company is trying to deal honestly with it. In contrast, he says Uber’s 2016 decision not to be transparent created “boiling negativity over time.”

He now advises companies to prepare for transparency before the crisis begins. In the middle of an incident, he says, a security leader usually lacks the credibility to dictate legal and communications decisions. Those relationships and decision rules must already exist. Sullivan says he advises BreachRx, a company building a platform intended to force legal, communications, and security teams to work together more directly, because he believes transparency depends on cross-functional preparation.

The leadership implication is broader. Sullivan tells security executives that once they become company leaders, their real team is not only the security organization. It is the executive team. When he mentors security leaders, he asks, “Tell me about your team.” They usually describe detection, application security, and other security functions. He says that is the wrong answer. Their team is the other executives.

At Facebook, an executive coach told him he should spend 50% of his time with other executives rather than with his security team. Sullivan now thinks security leaders may need to spend even more than that. Security is “dark and scary and confusing,” hard to measure cleanly, and usually heard from only when something is going wrong. The job of the security executive is to build enough trust with peers that, in the crisis moment, the rest of the leadership team listens.

Sullivan compares the role to entering a boxing ring. A boxer knows he is going to get hit and still has a plan. Technology leaders, he says, should think the same way. Job descriptions rarely include “resilience” or “crisis management,” but in modern technology companies those capabilities are central. The systems are highly visible, the stakes are large, and leaders will “get punched in the face sometimes.”

The operational lesson he draws is not to seek a career free of bad moments. It is the opposite. Sullivan tells students to run toward stressful situations because repeated exposure builds judgment. He says he is now invited into “the coolest companies on the planet” because people trust that he has acquired wisdom from surviving crises. Avoiding hard situations, in his view, also avoids the experience needed to lead through them.

Joe Sullivan says the cybersecurity world has changed dramatically since the Uber incident. In 2016, the nightmare was data leaving the building. That remains a concern, but ransomware shifted the center of gravity around 2018 and 2019. By 2025 and 2026, he says, the question is also whether a company can keep operating.

His main example is Jaguar Land Rover. Sullivan says the company suffered one of the biggest cyberattacks, a ransomware attack, the previous year. In his account, it shut down all Jaguar Land Rover production for three months, required a UK government bailout of more than a billion dollars, and damaged supply chain companies that depended on Jaguar Land Rover payments. He says some suppliers went out of business because they could not be paid for three months, and customers could not even take their vehicles into mechanic shops during the disruption. The economic impact, he says, reached billions of pounds.

The point is not the automotive sector specifically. It is that cybersecurity incidents now cascade into manufacturing, supply chains, government bailouts, and ordinary consumer life. Sullivan cites Colonial Pipeline as the first time cybersecurity visibly affected many American citizens: people across parts of the northeastern United States lined up for gasoline because of a ransomware attack.

Sullivan traces ransomware’s roots to destructive state-sponsored attacks rather than purely criminal extortion. He names Saudi Aramco and the Sands Casino as victims of Iranian attacks, and Sony as a North Korean attack. He also says his Facebook team helped show that North Korea was behind the Sony attack and shared that with the FBI. Over time, in his account, destructive state activity evolved into private-sector ransomware, and now an entire business infrastructure exists around it. Companies keep ransomware negotiators on retainer, and Sullivan says having one “on speed dial” has become a best practice.

He believes governments were too slow to understand the implications. Law enforcement traditionally works after the crime: investigate, identify, arrest. Sullivan says that is not enough for ransomware. Governments need to act on prevention, including going after gangs before attacks occur. That is politically difficult because cyber issues compete with larger geopolitical negotiations involving Ukraine, Taiwan, and other priorities. But the economic stakes are now high enough that governments are becoming more proactive.

Sullivan says the White House cyber czar has discussed allowing companies and organizations to go on the offensive. He calls that both scary and interesting. The appeal is obvious: if the question is what to do when punched, some people want the ability to punch back, or even punch first. But he presents that as a live and difficult policy area, not a settled recommendation. His practical conclusion is that organizations cannot merely wait for ransomware to happen to them.

Joe Sullivan connects the next phase of cybersecurity pressure to AI in two ways: AI-assisted coding inside companies, and the rollout of powerful cyber-capable models by frontier AI labs.

On “vibe coding,” the first problem is volume. One small Southeast bank he works with went from roughly 250,000 lines of code per month to about 1.25 million lines per month in a two-month period after adopting AI coding tools. Security review processes built for the old velocity struggle under the new one.

The second problem is that non-engineers are now merging or deploying code. Sullivan describes a Bay Area company where a marketing employee merged code into production, introduced a vulnerability, and could not fix it when security sent it back. Traditional application security assumes that an engineer receiving a proposed fix can evaluate it in context. That assumption fails when the person creating the code does not understand the codebase or the vulnerability.

The third problem is agentic behavior. Sullivan says tools such as Claude computer use make non-technical employees more ambitious about connecting systems externally. If they lack an API key, they may try to set up their own remote external server to create one. He says this is behavior a non-engineer would not previously have attempted.

There is no silver bullet, in his view. Some companies are “doing yolo and then trying to clean up.” Smarter companies, he says, are starting with pilots, limiting use to software engineers who know better, and gradually expanding access to other groups. He does not believe guardrails alone can solve the security problem of agents operating inside companies. Permissions are too blunt: a company cannot easily say an agent has write access to email for one purpose but not another. Sullivan argues that companies will need runtime monitoring and anomaly detection around agent behavior.

His metaphor is that agents inside companies are like toddlers inside a house. They can run around, and a parent has to run near them in real time. The issue is not only what access agents have, but what they do with it.

The frontier-model question is broader and more political. Sullivan says the U.S. government is feeling intense pressure. He had just spent several days in Washington, D.C., volunteering with government agencies, and says officials know that powerful cyber models now held closely will become publicly available within months, even if through open-source efforts. He says he works with companies that have access to Anthropic’s cyber-use model and that it is “as powerful as everybody says,” finding things that are both amazing and scary.

Sullivan is not critical of Anthropic’s rollout. He says Anthropic did well from a communications and brand standpoint by presenting itself as helping the world on cybersecurity. He acknowledges a backlash from some security practitioners who lacked access and dismissed the claims as hype or asked why more CVEs had not been published. But he says one company he works with received access on day one and found it incredibly valuable.

He emphasizes that access alone is not enough. Companies need a harness around the model: the technology, workflow, and infrastructure that lets the model inspect systems effectively. He says every company should be building those harnesses now, and that even existing public models can find many of the same issues if used intentionally.

The rollout question remains hard. Sullivan says Anthropic publicly named about eight companies, but gave access to more organizations than it disclosed. He understands why the company would be cautious: giving one gas company access but not another, or one bank but not another, looks like picking winners and losers. At the same time, he suggests more transparency might help, especially as governments consider how to handle future releases by companies that may not be as careful.

He sees the field as still developing toward best practices. Ideally, he says, the industry could identify five best practices for rolling out a powerful model: pre-vetted organizations, signed agreements, structured processes, and risk-managed release. He thinks the industry is “walking but not running” toward that world, and governments will become more involved because they need to.

Joe Sullivan rejects the reflexive Silicon Valley position that all regulation should be prevented. He has spent years as the public face of companies in regulatory debates — including testifying before Congress on whether PayPal or Facebook should be regulated — and says “stupid regulation” can block innovation. But at sufficient scale, he argues, regulation is necessary to protect people because companies built purely to make money will not always protect everyone affected by their products.

His Facebook example is dissident groups in oppressive African countries. They used Facebook to stay in touch in ways Sullivan had not anticipated and the product had not been built to support. Their use created risks, and they asked for features to reduce those risks. Sullivan says there was no economic incentive for Facebook to build such protections, even though the need was real. That is the kind of gap where government may have a role.

The problem is government competence. Sullivan says companies often encounter regulators who do not understand the technology well enough to regulate it intelligently. His preferred answer is not no regulation, but better people in government roles. He points to the increase, beginning around the second Obama administration and continuing now, in private-sector people moving into Washington. He specifically praises Emil Michael, whom he describes as negotiating with Anthropic for the Department of War, because Michael understands both Silicon Valley and government.

That bridge matters because Sullivan believes government will inevitably become more involved in AI model releases, cybersecurity resilience, and ransomware prevention. The question is whether it does so with enough technical understanding to avoid damaging innovation while still addressing risks companies will not solve on their own.

Joe Sullivan treats quantum cryptography as a real planning issue, not a resolved emergency. He says the topic comes up constantly among senior security executives, including in closed-door discussions with leaders from oil, gas, and energy companies. Most companies, in his account, are not doing much right now. He thinks quantum could plausibly arrive by 2030, especially given how AI progress has outpaced earlier predictions, so there is an argument for beginning work.

Still, Sullivan thinks much of the required work will fall to major infrastructure providers such as Google and AWS, because that is where much cryptography in corporate environments is ultimately implemented or mediated. The biggest current quantum risk, in his view, may be historical encrypted communications already collected by government agencies. If that data was protected by encryption that is not quantum-resistant, future quantum capability could make old communications readable.

He does not portray quantum arrival as an instant universal break. Quantum machines require extreme cold and specialized conditions. A few actors will have quantum capability before everyone does. There will be a transition period. Sullivan’s hope is that “the good guys get quantum before the bad guys” and can use that advantage in a managed way, analogous to how he sees Anthropic and OpenAI trying to handle powerful cyber models.

On open source models, he is more uncertain. Sullivan says no one knows what the model landscape will look like three years from now. Large language models may or may not remain central. World models, small language models, vertical models, and startups building different architectures may change the field. The pace of large language model improvement may slow. Open-source models may catch up. The economics of ever-larger language models may not make sense indefinitely. He thinks it will take a few years before there is enough of a steady state to know how to debate the ideal model-release regime.

The common thread is timing. For both quantum and open source AI, Sullivan does not claim a settled governance answer. He argues that organizations should build the capability to respond before the technical landscape is fixed: understand where cryptography lives, build model harnesses, pre-vet sensitive deployments, and avoid waiting until powerful capabilities are already broadly available.

Joe Sullivan widens the security frame beyond software and networks. For startups he works with, the top worry is often intellectual property theft. That risk cannot be solved by background checks alone. Companies cannot fully know whether an employee has relatives in another country who might be threatened by a government. Sullivan says he has seen situations where employees were pressured when they returned home, including threats against parents’ retirement or threats of imprisonment. He says he has had employees arrested by governments overseas and held in expectation that the company would cooperate.

He also discusses physical risk to executives, especially in areas such as crypto where access to a vault or wallet may depend on a small number of people. Sullivan says there have been executives at crypto companies whose hands have been cut off because biometric access mattered. He has built executive protection programs and has seen a major increase in executives needing to worry about physical safety. He references recent concern around Sam Altman as one visible example, while saying many similar stories do not receive as much attention.

His conclusion across these domains is not that perfect security is available. It is the opposite. Companies cannot create perfect security around everything they do. They cannot vet every employee perfectly. They cannot eliminate coercion, insider pressure, ransomware, model misuse, quantum transition risk, or physical threats. But Sullivan still thinks companies should moderate releases, prepare governance structures, and manage risk as intentionally as they can.