Are Bug Bounties a True Safe Harbor?

Image

Security vulnerabilities are becoming the new oil, and the bug bounty economy is booming. As news of cyberattacks and data breaches continue to consume the press, never before has the market for vulnerabilities been so dynamic. “Bug bounty programs,” frameworks where security researchers legally trade previously undiscovered vulnerabilities for monetary and reputational rewards by ethically disclosing their findings under a safe harbor, are becoming a “best practice” in cybersecurity, expanding across industries. The latest reports indicate that tens of thousands of hackers participate in such programs and that tens of millions of dollars are currently distributed in bounties. But who dictates the rules of this emerging marketplace for security research and bug discovery? Can bug bounties be a true safe harbor for bug hunters, as they claim to be? Who safeguards the legal interests of hunters? Ultimately, the terms of the programs are prescribed by the sponsors and intermediary platforms, using multiple layers of unilaterally drafted “take-it-or-leave-it” contract terms. So, if you’re a hunter, ask yourself: have you ever paid attention to the legal fine print? If you’re a sponsor, ask yourself: am I indeed facilitating ethical security research? In my BsidesLV talk, I will present a novel survey of tens of bug bounty legal terms suggesting that platforms and companies often put hackers in “legal” harm’s way, shifting the risk for civil and criminal liability towards hackers instead of authorizing access and creating “safe harbors.” While some organizations, including governmental, commit not to pursue legal actions against hackers that stay within scope, others leave hackers exposed. Program sponsors and platforms often require hackers to comply with “any applicable laws” without allowing them to do so by not authorizing access to targeted systems, subjecting them to EULAs that prevent reverse engineering and tinkering, and expecting hackers to become legal experts and resolve discrepancies between tens of pages of conflicting terms. Hackers want to play by the rules, but the rules won’t let them. Therefore, I say, the rules should change. I suggest simple steps that should and could be taken in order to minimize the legal risks of nearly 100,000 hackers participating in bug bounties, as well as to create a “rise-to-the-top” competition over the quality of bug bounty terms. In my talk, hackers will learn not only which terms they should be aware of in light of recent developments in anti-hacking laws, such as the new DMCA exemptions, but also which terms they, individually and through the platform, should demand to see. As the practice of sharing vulnerabilities is looming in both private and governmental realms and more regulations require pen testing, never before has it been more important to shield hackers who seek to participate in legitimate vulnerabilities trading from legal risks. Hunters shouldn’t surrender to this take-it-or-leave-it mentality. Hackers and individual security researchers, as prominent stakeholders in the highly profitable info-sec industry, should unite and collectively bargain for their legal rights, something which would be similar to what is already done in other industries. Doing so would make sure the voice of the individual hacker is heard. Contracts and laws will continue to play a role in the highly regulated field, and conflicts of interests and agency problems will inevitably arise. Therefore, hackers should not only pay attention to the fine print but should also consider uniting to safeguard their interests. Indeed, this survey is just one manifestation of a general narrative in the legal landscape: the law continues to struggle to facilitate the “white-hat” hacking security research practice, resulting in various anomalies and leaving hackers that seek to do good often legally exposed. It is crucial that a least on their parts, entities that seek to facilitate security research and are engaged in private “cyber” ordering through boilerplate contracting will craft terms that support such research, not undermine it. Legal scholars have been writing about these issues for years, but the message hasn’t sunk in yet. This is a call to action for ethical hackers to unite, negotiate, and influence the emerging legal landscape of their industry, as their actions speak louder than scholars’ words. Come hear more at my BsidesLV talk Hacking the Law: A Call for Action – Bug Bounties Legal Terms as a Case Study at BSidesLV on Tuesday, July 25 at 19:30 (Common Ground). If you can’t make it to BSidesLV, you can also hear me at Defcon Skytalks Village, Friday, July 28, 18:00.  

Image

Abut the Author: Amit Elazari is a doctoral law candidate at UC Berkeley School of Law and a CTSP Fellow at Berkeley School of Information. She is the first Israeli LL.M. graduate to been admitted to the doctoral program at Berkeley or any other top U.S. doctoral program in law, on a direct-track basis. Her work on anti-hacking laws and Intellectual Property has been published in the Canadian Intellectual Property Journal, Berkeley Technology Law Journal (BTLJ) and Berkeley Business Law Journal blogs. She holds an LL.M., LL.B. and a B.A. in Business Administration (Summa Cum Laude) from IDC, Israel and is admitted to practice law in Israel. Amit’s work has been presented in leading IP and internet law conferences and she currently serves as the submissions editor of Berkeley Technology Law Journal, the world’s #1 Tech Law Journal. You can also connect with Amit on LinkedIn and visit her website. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.