Hacking the Law: Are Bug Bounties a True Safe Harbor

Presented at BSidesSF 2021 Virtual, March 6, 2021, 2:45 p.m. (25 minutes)

Streaming at <https://youtu.be/ljBju-TONss> Join us at [r/BSidesSF](https://reddit.com/r/BSidesSF) on Reddit for live AMA style Q&A (2018) In the wake of recent media headlines, bug bounties emerge as a murky legal landscape to navigate. While the vulnerability economy is booming, a novel survey of bug bounty terms reveals that platforms and companies sometimes put hackers in “legal” harm’s way, shifting the risk for civil and criminal liability towards hackers instead of creating safe harbors. This practice already resulted in one public story concerning a bug hunter being allegedly threatened with legal action under the CFAA. This is a call for action for industry stakeholders to influence this emerging landscape of cyberlaw, since hackers’ actions speak louder than scholars’ words. I suggest simple steps that could be taken to minimize the legal risks of more than 120,000 hackers participating in bug bounties. I further suggest that the industry should move towards standardization of legal terms, in light of the recent DOJ framework. Hackers will learn not only which terms they should beware of in light of recent developments in anti-hacking laws, but which terms they, individually and through the platform, should demand to see to ensure “authorized access.” Contracts and laws will continue to play a role in this murky landscape, therefore hackers should start paying attention to the fine print and demand better terms.

Presenters:

• Amit Elazari
  Dr. Amit Elazari is a Director, Global Cybersecurity Policy at Intel Corporation and a Lecturer at the University of California (U.C.) Berkeley School of Information Master in Information and Cybersecurity, as well as a member of the External Advisory Committee for the Center of Long Term Cybersecurity at UC Berkeley. She holds a Doctoral Degree in the Law (J.S.D.) from UC Berkeley School of Law, the world’s leading law institution for technology law, and graduated summa cum laude three prior degrees in law and business, from IDC Herzliya. Her research in cybersecurity, privacy and intellectual property has appeared in leading technology law and computer science journals, presented at conferences such as RSA, Black Hat and USENIX Security, and featured at leading news sites such as The Wall Street Journal, The Washington Post and the New York Times. She practiced law in Israel.

Links:

• https://bsidessf2021.sched.com/event/iD5R/hacking-the-law-are-bug-bounties-a-true-safe-harbor

Similar Presentations:

• BSidesLV 2017 / Hacking the Law: A Call for Action – Bug Bounties Legal Terms as a Case Study
• DEF CON 22 (2014) / Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter!
• Diana Initiative 2020 Virtual / Bug Bounty Craze