Bug bounties offer legal safe harbor. Right? Right?

Not so fast. Most bug bounties offer less legal protection than you might think. Read those legal terms carefully, bug bounty hunters.

Bug bounty program
401(K) 2012 (Creative Commons BY or BY-SA)

Bug bounty hunters beware.

That's the message Amit Elazari, a doctoral law candidate at UC Berkeley, and who studies bug bounty legal issues, has for hackers. The whole idea of a bug bounty is to offer a legal way for good-faith hackers to report security issues in return for a financial reward. But many bug bounties, and even vulnerability disclosure programs (VDPs, which do not offer financial incentives), include legal terms that fail to offer security researchers safe harbor.

Hackers engaging in good-faith security research could find themselves subject to criminal or civil prosecution, Elazari warns. "Are bug bounties operating as the true safe harbor they claim to be?" she asks. After analyzing hundreds of bug bounty terms, her answer to that question is no.

Draconian laws like the CFAA (Computer Fraud and Abuse Act) and the DMCA (Digital Millennium Copyright Act) chill good-faith security research, and absent legal reform of these statutes in Washington (not likely anytime soon), hackers should check bug bounty legal terms to ensure they are operating with explicit legal permission.

The DJI bug bounty fiasco last year, when security researcher Kevin Finisterre walked away from a $30,000 bug bounty after drone maker DJI threatened him with legal action, brings into focus the nightmare scenario that both companies and bug finders want to avoid.

"[Legal safe harbor] is getting attention," Elazari says, "also because of everything that happened with DJI." The solution: include explicit legal safe harbor in bug bounty, and VDP, legal terms of engagement.

Legal safe harbor now the "gold standard"

A large number of companies running bug bounty programs outsource their bug bounties to third-party platforms HackerOne and Bugcrowd, both of which are promoting legal safe harbor as best practice. HackerOne added legal safe harbor language into its default legal terms, and encourages its corporate clients to adopt those terms.

"Companies come to us because they know we will protect them," HackerOne CEO Marten Mickos tells CSO. "Companies can be uncertain about the motivations of hackers, and vice versa."

Mickos notes that, while HackerOne has never experience a DJI-like incident or any other legal issue after more than 75,000 valid bugs reported, legal safe harbor is the best way to keep the peace between good-faith hackers and wary companies. "The policy we had was very good," he says, "but it's of course the gold standard now to add such [safe harbor] language."

Bugcrowd announced last week the creation of Disclose.io, an attempt to standardize best practices around safe harbor. "We're in the business of finding vulnerabilities," Bugcrowd founder Casey Ellis said in a press release. "This can be a frightening concept for people who build, run, and protect software, but it's necessary to compete against the adversaries that are out there."

So far only a handful of major software vendors have adopted these legal safe harbor terms, most notably DropBox and Mozilla.

CFAA and DMCA are broken: contract law to the rescue

By embedding legal safe harbor from CFAA and DMCA prosecution in contractual language and promoting that legal language at scale across thousands of corporate clients, the hope is to defang these draconian anti-hacking statutes using contract law as a remedy. "The CFAA isn't that clear about what is authorized access and what isn't," Mickos tells CSO. "Our recommendation is to state that if you hack in good faith, then that constitutes authorized conduct."

The DOJ agrees. Its 2017 framework for a VDP suggests that bug bounties and VDPs should explicitly state whether or not security testing in technical scope constitutes "authorized" conduct under the CFAA.

"All the big players are well aware of the situation, we have about 20 companies with an explicit safe harbor," Elazari says. "We still do not know that safe harbor actually affects the hacker's decision whether to hack on a certain program or not, but awareness is now on the rise."

Copyright © 2018 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.