One of the most overlooked challenges is that the cost of bug bounty programs can easily get out of control. This can happen due to the potentially unlimited number of vulnerabilities identified (payment of premium), vulnerabilities used for harmful purposes (compromise of regulated data), remediation of harmless vulnerabilities (lost development time), and legal judgments (negligence in the speed of remediation). So far, only a handful of major software companies have adopted these safe harbor legal terms, including DropBox and Mozilla. Aaron Portnoy: As a fairly young researcher who was in charge of a very visible competition, I can say that it was definitely a diplomatic challenge and a learning experience for me. The very first year was an experience and most people who first heard about Pwn2Own thought it was a gimmick for marketing purposes. However, as the first round of information began and the scope of media coverage expanded to mainstream media, the providers concerned began to take this into account seriously. Over the years, many recurring vendors have even planned their patch cycles to eliminate bugs immediately before the competition, hoping to invalidate any negative results. The more competition grew, the more I had to work to build relationships with all parties involved – from researchers to salespeople to the press. As you can imagine, the greater the competition, the more pressure supplier representatives exerted from their legal and marketing teams. For example, in the early days of Pwn2Own, our team took the exploits for analysis and delivered them to the relevant suppliers after the event. This led to a period when suppliers were not up to date, but still had to respond to massive media coverage. This process has evolved over the years, culminating in a “war room” where disclosure took place immediately after a successful demonstration in the field, which is certainly a more collaborative solution and has allowed us to maintain a relationship of trust with suppliers. Please understand that if your security research relates to the networks, systems, information, applications, products or services of a third party (which is not us), we cannot bind that third party and may bring legal action or law enforcement.
We cannot and will not authorize security research on behalf of other companies and can in no way offer to defend, indemnify or protect you against the actions of third parties based on your actions. Lucas Adamski (Director of Security Engineering, Mozilla): For me, the strength of any security system is simply a function of how many intelligent and motivated people have looked at it over time. There you go. It has nothing to do with who wrote it, in my opinion, almost. It`s almost a matter of who actually tried to break it, and that`s what leads to a strong system. So the bonuses were a way of saying, “Okay, we can only have a limited number of people that we hire.” Mozilla was originally founded with the intention of not recruiting anyone. They should be contributors. So the bounty program was just for us to get contributors on the security side. I think the controversial side of the issue is, okay, why are we paying them because we haven`t paid other contributors than full-time. If we run a security value program, why not just make a feature value program? Anyone who fixes a bug or creates a feature will also get paid. It was a great cultural discussion. I think there were differences.
First of all, there is already a market for these labor products, the black market. It`s not that people are usually paid to fix bugs or randomly generate unsolicited features. There`s no market for, oh, I have a feature to run a little bit in something. No one will pay you randomly for the code you`ve written, but there`s definitely a market for error, an underground market for it. With so many violations, the exposure to legal liabilities is enormous. There are now too many established jurisdictions that hold companies accountable. More and more failed bug bounty programs appear in the legal request recovery process and are used to prove negligence. Last year`s DJI bug bounty fiasco, when security researcher Kevin Finisterre pulled out of a $30,000 bug bounty after drone maker DJI threatened him with legal action, highlights the nightmare scenario that companies and bug seekers want to avoid. The GM agrees.
The 2017 framework for a VDP suggests that bug bonuses and VDPs should explicitly state whether or not technical security testing is “authorized” behavior under the CFAA. By integrating the legal haven from CFAA and DMCA lawsuits into contract language and promoting this legal language on a large scale among thousands of corporate clients, there is hope of defusing these draconian anti-piracy laws with contract law as a remedy. “The CFAA is not as clear about what allowed access is and what is not,” Mickos told CSO. “Our recommendation is to indicate that if you hack in good faith, this constitutes permissible conduct.” Despite the pitfalls, we see these programs every day and know that bug bounties can still work and play an important role in managing business risk. Mickos notes that while HackerOne has never experienced a DJI-like incident or other legal issue after reporting more than 75,000 valid bugs, the Legal Safe Harbor is the best way to keep the peace between gullible hackers and cautious companies. “The policy we had was very good,” he says, “but now of course it`s the gold standard to add such language [safe harbor].” Tommy DeVoss: Right now, no. If a company has not published publicly traded information about the bug bounty/VDP, finding and reporting a bug can lead to charges as it is technically illegal. First, we recommend delegating bug bounty monitoring to external legal teams.
Not only do we look for errors, but we also protect the company`s exposure to legal and regulatory obligations, as we see legal risks that vulnerabilities identified in the program will not be corrected in a timely manner. The courts will consider whether the organization has taken appropriate steps to address the identified vulnerabilities in a timely manner and hold the organization accountable. There is no way to hold a bounty hunter responsible or blamed for failing or failing to report an error. That is, if legal action is brought against you by a third party, including law enforcement, for your participation in this Bug Bounty program and you have sufficiently complied with our Bug Bounty policy (i.e., have not committed any intentional or malicious violations), we will take steps to disclose that your actions have been performed in accordance with this Policy. While we consider the reports submitted to be both confidential and potentially privileged documents and, in most cases, protected from forced disclosure, please note that despite our objections, a court may ask us to disclose information to third parties. During Barack Obama`s second term, some senior administration officials began to consider bonuses as a possible way to boost them. “[Legal Safe Harbor] is attracting attention,” Elazari says, “also because of everything that happened to DJI.” The solution: Add an explicit legal safe harbor in the bug bounty and VDP, legal conditions of engagement. Start with a layer of legal protection. Hire your in-house counsel to review the program and determine whether it is best to work with external consultants so that your organization is protected by legal privileges. Next, make sure that your bug bounty program and vulnerability remediation processes are in sync. There are solution integrations available that can help achieve this goal. The common denominator is the coordination of stakeholders, frameworks and delivery resources, and the establishment of effective planning and communication.
Please note that we cannot approve out-of-scope testing on behalf of third parties and that such testing does not fall within the scope of our policy. Refer to that third party`s bug bounty policy, if any, or contact the third party directly or through a legal representative before running tests for that third party or its services. This is not an agreement on our part to defend, indemnify or protect you against the actions of third parties based on your actions. Hackers who conduct security research in good faith could be prosecuted under criminal or civil law, Elazari warns. “Are bug bounties the real refuge they claim to be?” she asks. After analyzing hundreds of bug bounty terms, their answer to this question is no. Bug bounties have their place.