Securing The Bounty: Bug Bounties Take Center Stage In Uber CISO’s Criminal Appeal
Bug bounty programs have been prized as a cybersecurity tool by tech giants and small startups for years, but effective bug bounty programs must have ground rules.
As we approach appellate oral arguments in the history-making criminal case of Uber’s ex-CISO this summer, techies, lawyers, hackers, and investors should all be worried about cybersecurity. In 2016, Uber suffered a massive data breach that impacted 50 million customers and over half a million drivers. In the first criminal prosecution of a chief information security officer, former Uber CISO Joseph Sullivan was found guilty of two felonies for hiding negotiations made with the hackers in an attempt to cover up the breach under the guise of a bug bounty program. The judge for the Northern District of California sentenced Sullivan to serve a three-year probation term and pay a fine of $50,000. Security pros were on notice: criminal penalties were officially on the table for mishandling data breaches – and abusing bug bounty programs.
Bug bounty programs have been prized as a cybersecurity tool by tech giants and small startups for years. They provide financial rewards to ethical hackers who assist organizations in identifying their cybersecurity weaknesses by discovering security bugs in their software and disclosing these security vulnerabilities to the organization so they can be remediated. Some organizations operate their own bug bounty programs while others outsource to service providers that offer managed bug bounty programs. While the specifics differ, it is clear that such incentivized security research is dynamic, significant, and successful: Google identified and fixed 2,900 security concerns thanks to bug bounty-related security researchers in 2022; Apple offers up to $2M in its Security Bounty program for key vulnerability finds; and Meta paid out bounties to researchers in over 45 countries in 2022.
Effective bug bounty programs have ground rules. These rules define the scope of the program, making participants aware of the systems and services they are permitted to test and the ones they are prohibited from testing as well as the testing methods they are authorized to use and the ones that they must not use. The rules also define the scope of the participants, with some programs being public and open to the global hacker and security researcher community, and others being private, with only certain individuals invited to participate (for Stanford University, you must be a student, postdoc, or full-time employee; for Walmart, you may not be an employee). A key feature of bug bounty programs is the requirement that the participants agree not to access, modify, delete, exfiltrate, or store personally identifiable information or other data that they identify in their testing and that if they inadvertently do so, that they inform the organization and delete the data. In return for complying with the rules of the program, organizations often provide participants with a Safe Harbor, agreeing not to bring legal action against the hacker for accidental violations of the rules of the bug bounty program, the organization’s Terms of Service and Acceptable Use Policies, and laws such as the Computer Fraud and Abuse Act.
Trust The Process: How To Build And Manage Workflows In Law Firms
Some programs condition eligibility for a reward on the hacker not being on a U.S. government sanctions list or in a country on the U.S. government sanctions list. Organizations may also refuse to pay a bounty if a hacker threatens to withhold information about the vulnerability or to make exfiltrated data publicly available, effectively turning an application for a bounty into a demand for a ransom payment.
Still, 93% of Forbes Global 2000 companies lack vulnerability disclosure policies, or specifics outlining how one can submit the finding of a flaw without fearing legal recourse (TL;DR: how to let Amazon know you found a bug without getting sued). Best practices surrounding bug bounty programs should include a governance system, one that focuses on: assigning roles and responsibilities for each aspect of the program, clearly defining the reporting chain for reporting vulnerabilities identified by program participants, a hierarchy for approval of the payment of any bounty, a requirement that the legal department review any request to issue payment under the bug bounty program to ensure that the payment does not violate Office of Foreign Assets Control (OFAC) sanctions restrictions, establishing a procedure to be followed in the event a malicious hacker intentionally violates the rules of the program, and an internal communications policy that keeps the C-suite and board of directors informed of relevant developments.
Importantly: bug bounty programs are to protect the company, not the reputations of the security heads (a contentious point that was singled out in Sullivan’s appeal, a significant concern that anyone involved in the bug bounty ecosystem should hope is clarified this summer). Walking that delicate line is complex, for every party involved – from the lawyers drafting the bug bounty program requirements, to the board members attempting to meet cybersecurity education requirements, to the new security hire puzzling over whether to call a ransomware attack into the anonymous tip hotline their employer just set up. The consensus is anything but clear, and the upcoming conclusion to the Uber data breach case should help unmuddy the waters. All ears should be tuned into the upcoming appellate arguments in the Ninth Circuit this summer.
Sponsored
Not All Legal AI Is Created Equal
How To Build And Manage Your Law Firm Rate Sheet
A Law Firm Checklist For Successful Transaction Management
Not All Legal AI Is Created Equal
Leeza Garber, Esq. specializes in cybersecurity and privacy law, and teaches Information Privacy Law at Drexel University’s Thomas R. Kline School of Law and Internet Law, Privacy, and Cybersecurity at The Wharton School. She owns her own consulting company offering executive education courses and keynote presentations, and her book Can. Trust. Will.: Hiring for the Human Element in the New Age of Cybersecurity (affiliate link) was published by Business Expert Press.
Gail Gottehrer is the Vice President for Global Litigation, Labor & Employment, IT and Government Relations at Del Monte Fresh Produce and a member of the company’s Global Incident Response Team, Disclosure Committee, ESG Steering Committee, and Global Investigations Council. She is an expert on cybersecurity, data privacy, and emerging technologies law and one of the few defense lawyers to have been involved in the trial of a class action to verdict before a jury.
Sponsored
Trust The Process: How To Build And Manage Workflows In Law Firms
How Savvy Lawyers Build Their Law Firm Rate Sheet
