A wide range of organizations have embraced vulnerabilitydisclosure programs (VDPs) that actively encourage members of the public to hack into their own company systems. Under a VDP, a company invites “good” or “ethical” hackers to explore the company’s systems and then to report back about any discovered weaknesses. The information reported is then used to fix the vulnerability and to implement stronger protections going forward. A form of VDP surging in popularity is the bug-bounty program (BBP) in which financial or other incentives are offered to outsiders for reporting relevant information.
BBPs have come into favor because they represent a cost-effective “force multiplier” that can augment existing efforts a company may be pursuing to identify and remediate vulnerabilities. Companies are understandably attracted to the idea of making a $500 payout (the approximate average reward for a discovered bug of any severity) as an alternative to enduring an incident that could ultimately cost millions of dollars. Some companies see such programs as a lowercost complement to increasing investment in internal security measures. Even large institutions that make substantial investments in internal security experts recognize the value of enlisting outside actors with a new perspective to stress test and supplement those efforts.
As the benefits of having a BBP have become widely known, a growing range of companies have decided to adopt them. Such programs are no longer the exclusive province of technology companies, including giants like Google, but also include retail and service companies, such as Starbucks. Over the past year, we have seen companies of all sizes and industries institute these types of programs to good effect.
Notably, the U.S. government has joined these efforts with programs such as “Hack the Pentagon,” a bug-bounty program instituted by the U.S. Department of Defense in 2016 after a successful pilot. As then-Secretary of Defense Ash Carter observed, “We know that state-sponsored actors and blackhat hackers want to challenge and exploit our networks. . . . What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer.”
While there are considerable benefits to gain from having a BBP, companies must be careful in how they design and implement these programs to avoid legal and reputational risk. Both the design phase of the program as well as the response to specific reports can pose challenges that must be navigated carefully. Based on what we have observed, there are several topics organizations must pay special attention to:
• When designing the program, think carefully about what network components and data to include and consider making sensitive information off limits. This point was emphasized in Department of Justice (DOJ)-issued guidance on VDPs. Entities must consider a number of factors when deciding what should be included within the scope of a BBP. Such factors include the sensitivity of the information, the safeguards already in place, and any applicable regulatory or contractual restrictions. To the extent an organization decides to include within its BBP a system that contains sensitive information, organizations might consider implementing technical methods that prevent participants from being able to access the information.
• When drafting the publicly available policy for the program, be clear on the scope of authorized conduct. It may be useful, for instance, to prohibit participants from engaging in any intentional conduct that changes user-generated data, impairs or disables systems, or that otherwise makes data inaccessible or includes the downloading of any company information. Not only does this clarity avoid creating questions later in a civil-suit context about what may have been “authorized” through its program, it also removes a potential impediment to DOJ bringing a criminal case under the Computer Fraud and Abuse Act arising out of a malicious hack of the company’s systems.
• Consider what federal agencies have stated about VDPs. DOJ is not the only federal agency thinking seriously about VDPs. The Federal Trade Commission, National Highway Traffic Safety Administration, and Food and Drug Administration have issued guidance on best security practices that include consideration of VDPs. • Decide in advance what proof is needed to confirm a hack. Companies also should specify how that information should be shared with them.
• Assign a central point of contact to receive vulnerability disclosure reports and be clear about which personnel are authorized to answer questions about the program. It is easier to respond to unusual reports and difficult questions if there is a clear point of reference for report processing. Questions that raise new and unanticipated legal issues should be handled carefully.
• Be clear and transparent about whether and how you will pay a bounty. This means setting reward amounts for different discoveries. Additionally, while some organizations offer cash rewards, others, like Massachusetts Institute of Technology, offer alternative perks.
• Only pay a bounty if it is for an activity that is specifically authorized by your policy. It is important to create rules and to follow them closely. Otherwise, a company might put itself into an unfavorable negotiating position with participants.
• Consider using test accounts. This will help to ensure that customer data is not unnecessarily compromised through the BBP.
• Consider a third-party host. Depending on the company, there may be value to using a third-party platform to host the program.
Each organization is different in terms of the types of information it holds, the legal regimes to which its information is subject, and the contractual and other obligations that may restrict disclosure. Additional legal issues arise where a company stores data or conducts activities outside the United States. The International Organization for Standardization and the International Electrotechnical Commission published standards on designing VDPs and, like DOJ, recommend that any company that adopts a VDP obtain legal advice in order to ensure that their programs are consistent with local laws.
The bottom line is that BBPs are a valuable tool that should be carefully designed and deployed to maximize benefits and reduce risks to the organization. The above lessons should not dissuade organizations from giving BBPs serious consideration. But they highlight the value in taking time to design and implement the programs thoughtfully.