Bug bounty hunters beware.
That’s the message Amit Elazari, a doctoral law candidate at UC Berkeley, and who studies bug bounty legal issues, has for hackers. The whole idea of a bug bounty is to offer a legal way for good-faith hackers to report security issues in return for a financial reward. But many bug bounties, and even vulnerability disclosure programs (VDPs, which do not offer financial incentives), include legal terms that fail to offer security researchers safe harbor.
Hackers engaging in good-faith security research could find themselves subject to criminal or civil prosecution, Elazari warns. “Are bug bounties operating as the true safe harbor they claim to be?” she asks. After analyzing hundreds of bug bounty terms, her answer to that question is no.
Draconian laws like the CFAA (Computer Fraud and Abuse Act) and the DMCA (Digital Millennium Copyright Act) chill good-faith security research, and absent legal reform of these statutes in Washington (not likely anytime soon), hackers should check bug bounty legal terms to ensure they are operating with explicit legal permission.
The DJI bug bounty fiasco last year, when security researcher Kevin Finisterre walked away from a $30,000 bug bounty after drone maker DJI threatened him with legal action, brings into focus the nightmare scenario that both companies and bug finders want to avoid.
“[Legal safe harbor] is getting attention,” Elazari says, “also because of everything that happened with DJI.” The solution: include explicit legal safe harbor in bug bounty, and VDP, legal terms of engagement.