For his role in covering up the 2016 data breaches at Uber, he was convicted in October 2022 on federal felony charges of obstruction and misprision.

[8] In 2001 and 2002, together with Scott Frewing he represented the U.S. government in United States v. Elcom Ltd. case, the first prosecution in the U.S. under the Digital Millennium Copyright Act.

[14] In 2003, he was criticized by Yuval Dror at the Haaretz newspaper for being willing to share eBay user's personal data with law-enforcement agencies potentially without proper legal framework.

[5] Sullivan assembled a security team to handle requests from law enforcement agencies globally and fight various types of cybercrime within the social network.

[5][8] He introduced a practice of security hackathons and bug bounty programs both internally and externally, encouraging coders to find vulnerabilities.

[23] In Spring 2015, Sullivan joined Uber as its first CSO, at the time when the company was experiencing multiple safety and security issues.

[27] In November 2017, Sullivan and Craig Clark, a senior lawyer at the company, were fired for allegedly covering up a major data breach in 2016 and paying hackers $100,000.

The criminal complaint said Sullivan arranged, with CEO Travis Kalanick's knowledge, to pay a ransom for the breach as a "bug bounty" to conceal its true nature, and to falsify non-disclosure agreements with the hackers to say they had not obtained any data.