Bug Hunters Dump User Data. Can They Keep it? Well They're Keeping it Anyway.

Presented at Black Hat USA 2022, Aug. 11, 2022, 11:20 a.m. (40 minutes).

<div><span>A security researcher used a modern bug bounty platform to disclose an accidental dump of personal data of ~50,000 FAANG company's users from that company's servers. The data passes through several 3rd party systems not related to the company and lands on the researcher's laptop. What were the legal obligations of the company running the program to protect the data affected? What were the legal obligations, if any, put on the researcher around protecting the data? Who should be responsible for the cleanup?</span></div><div><span><br></span></div><div><span>You may be surprised to learn this FAANG company never disclosed the dump, and both the researcher and the 3rd parties continued to have access to the data. </span></div>

Presenters:

  • Whitney Merrill - Data Protection Officer and Lead Privacy Counsel, Asana
    Whitney Merrill loves privacy.. no really, she really loves it. To feed her insatiable need to advance privacy in the world, she is Asana's Data Protection Officer, heading up the growing privacy team. For most of her career, she has supported security teams in developing bug bounty programs and managing incident response. Previously she was Privacy, eCommerce & Consumer Protection Counsel at Electronic Arts (EA) and an attorney at the Federal Trade Commission. She has a master’s degree in Computer Science from the University of Illinois in Urbana-Champaign where she explored issues associated with the intersection of technology, information security, privacy, and the law. In her spare time, she runs the Crypto & Privacy Village, a non-profit, which appears at DEF CON & BSidesSF each year. You can find her tweeting about security, privacy, and other random things at @wbm312.
  • Dylan Ayrey - CEO, Truffle Security Co
    Dylan is an application security professional previously at Salesforce and Netflix who recently co-founded an Open Source security company called Truffle Security. He has had the honor of speaking at Black Hat in 2020, and has spoken at Defcon on 2 occasions, as well as many other security conferences on a wide range of topics ranging from Application Security to Cloud Security.

Links:

Similar Presentations: