Hacking the Law: Are Bug Bounties a True Safe Harbor?

[Music]

thank you good afternoon in true israeli fashion i want to start with a direct question do you know this guy some of you know one okay so for those of you who don't know him this is kevin Finster he is a respected security researcher that found a critical vulnerability in one of d.j eyes drone system this vulnerability according to reports licked personal information of their consumers now although Kevin has lots of hair he wanted to wear the white hat he wanted to report this vulnerability to DJI under their just launched new bug bounty program but at the time this program was launched there was no clear technical or legal scope so according to reports Kevin contacted DJI and in private the

communication according to reports they indeed authorized that the vulnerability was in scope not only that my friends they also offered him for that bug the highest reward $30,000 not bad right for you hunters here not bad well then the plot thickens according to reports DJ I also wanted Kevin to sign an agreement that he found was one-sided that left him legally exposed when Kevin refused according to reports they threatened him with legal action under the notorious Computer Fraud and Abuse Act well how does the story end Kevin ended up walking away from an approved 30 thousand dollar bounty yes my friends a new Tesla let's take a moment to appreciate that lost well I'm here to check to talk with you about

what we all of us can do as a community to make sure this doesn't happen again my friends this is your wake-up call after lunch more and more we hear about legal threats for security researchers even reporters that are getting fronted for white hack research this is such a big problem that the Center for long that the Center for Democracy and Technology has asked 50 experts and advocates to express their concern about this issue and this might be people that you know and appreciate and today we'll talk about how we can change a small part of that the bug bounty legal landscape so I know many of you hunters are here or maybe there are people that

are running a bug bounty program so raise your hand please by show of hands who here is participating in a bug bounty involved in a bug bounty knows about this term a bug bounty many of you thank you platform people there in the back thank you so much how many of you accessed the web page of a bug bounty policy nice now please be frank how many of you read all the different legal terms of all the different bug bounties and the platforms there is I see one hand okay not to many of you right well let me tell you I read them and the result is a bit surprising I accept is this biggest lie of the information age

and sometimes people don't read the small letters and not always we have a big screen like this but I'm going to that I'm going to tell you today why we should all start to pay attention now what we will see is that bug bounties are exploding they attract hackers that want to follow the rules but the Wolves won't let them therefore we need to start thinking about changing the rules now since this is a terms of use talk a little bit of a disclaimer of my own while I am a lawyer I'm not your lawyer and I'm not admitted to practice law in the United States and this is not legal advice so software is eating the

world and the bug bounty economy is exploding we have millions of bounties distributed to tens of thousands of hackers just look at those numbers we have now a bug bounty for the Pentagon for food chains for the US Army for Starbucks for financial institutions we are even giving hackers every world mileage everything to make them a part of the solution now in three and a half decades bug bounty evolved from this marketing gimmick report a bug get a bug to a Senate bill suggesting to enact bag bounties in the department of homeland homeland security an icon of the establishment from the GDP are two recent FTC degrees bug bounties my friends are all over the place now this

is a wonderful shift in how we view researchers and I do agree with my sister Karen that hackers are important part of the Internet's immune system my question is then why here inside our industry we are still attacking friendly hackers instead of helping them to help us or in other words my friend bug bounties are already popular it's time we also make them fair and if we want to make them fair we need to start thinking about these questions we have this bug bounty exploding economy but who dictates the rules of the game our bug bounties are true safe harbor as they claim to be who guards the legal interests of that individual hacker the crowd considering this is a very

risky legal business well I read a lot of terms hundreds of legal terms to understand because the question the answer to the question starts with the fine print and what I found was surprising platforms and companies sometimes put hackers in legal risk by shifting the risk of liability towards the hacker instead of clearly creating safe harbor and giving authorization and this is some of the examples that I've seen while some programs even the Department of Defense until recently would commit under contract not to pursue legal action against hackers that stay within scope others will just leave hackers exposed or maybe they will just say you need to comply with all laws here on Mars in

your jurisdiction wherever how many of you seen that kind of language summons here I this is a popular language and I thought I'm not saying it's not okay I'm saying you need to give that authorized access to the hacker to enable him to follow the law or in other more severe cases the company might include a reference in the bug bounty policy to the general and user License Agreement yes my friends that contract that often says guess what no hacking no spoof spoofing no attempt to gain unauthorized access not reverse engineering so this is creating by default liability for the hacker for just doing what we asked them to do it doesn't make a lot of sense if

you want to reference the you are then like paper for example you can explain that the bug bounty will prevail in case of a conflict now in other cases why not just say you don't have any permission to test the system here is a bounty but you don't have any permission yes this is still a problem in 2018 in contracts in bug bounties other problems might include separating the legal terms from the technical scope we all know that's a really great strategy to get your hackers to read the legal terms or just not having any legal part at all and you can guess there is one company very big one that is doing that running a very big bug bounty with

millions paid with no legal part or there might be conflicts between a different set of contracts the one that the platform uses and the individual program and except for disclosure the hacker is expected to resolve those kind of conflicts our legal experts right okay so bottom line after looking at hundreds of terms while program often and usually focus in great depth into the technical scope my friends the legal part the theorization to access the system is either lacking non-existing or ignored 2019 the bug bounty economy is exploding but safe harbor is not the standard it's the exception and my findings are also supported by these findings by a group of researchers my future co-authors by the way that

analyzed 17 7 policies on hacker one platform and only found 17 of them have a partial safe harbor which is a commitment not to pursue legal action they also found that policies are really complicated how are complicated it requires college education at least to understand them the readability score in in type of indexes we're using the academies 40 just to compare a lot of users among 30 so that's how complicated and this is paradoxical why because bug bounties are supposed to be vehicle right this is how we compete with the bug with the black market and we also know that hackers care about their legal risk this is for example search that found that 60% 6-0 of the

hackers mention that threat of legal action is a consideration why not disclose a vulnerability with a vendor yes although legal incentives should be important we still see terms that are in conflict with the mere purpose of security testing and you're probably asking why so let me tell you this is because this is a regime governed by take it only bit I accept contracts drafted by platforms and companies the individual hacker it lacks sometimes the legal knowledge or more importantly the negotiation power to change this reality this is why it's up to us all of us industry individual hunters vendors platforms to demand to see a safe harbor in every bag bounty to make that the standard and how how do we

do that so we need to take a small dive into the legal landscape so bear with me it's not new that the law struggles to facilitate whiten gray hat attic and this is paradoxical because more and more regulators and just check out the new FTC degree they recommend companies will in act coordinate one ability disclosure programs or bug bounties but there is a bit of good news the law enables you private companies through contract law to authorize access to security researcher and thereby basically create a regime where the hacker is not in risk yes only for in scope testing that you carefully define but that's possible and this is something that we control and we can

change because this is contracts so our first insights my friend that this is a regime control not only by vague and overbroad laws like the CFAA it's also a regime controlled by a lot of contracts that apply to thousands of thousands of hackers that we hear inside our industry can control and our second thing inside is that in the land of anti hacking laws consent an authorization is what matters so how many of you are familiar heard of CFA or the DMCA many hands in the air right okay so in a nutshell the Computer Fraud and Abuse Act criminalizes and sometimes creates also civil liability for intentionally accessing a protected computer and obtaining information without authorization or in a manner

which exceeds authorization notice authorization the DMCA an amendment to the copyright law prevent circumvention of technological barriers that effectively control the code as copyright protected work this includes avoiding or bypassing measures without the consent and authorization of the copyright owner notice again authorization now we also have a new now pending renewal DMCA a good-faith security research exemption but if you take a look at the fine print you will find that right now we will see how this will be renewed that exemption also requires that the access the testing would be in compliance with all laws yes guess what including also to see FAA and contract laws and all those units that I've just shown you so in the end there are there

is a relationship between them it boils down to the contractual language of the bug bounty terms this is why authorization in the bug bounty terms is so important to facilitate security research we also have this potential agency problem where basically the legal instrument trysts of the hackers the platforms and the vendors are not aligned and because this is a ticket only a bit with gene the risk is that the legal risk will be shifted towards that individual hacker so what do we do how do we change that first of all we understand that we have if we are doing bug bounties then we want to attract hackers that want to follow the rules and if the rules won't

let them we need to change them we need to make sure safe harbor and clear consent matters and the way we do that is to standardize the language we create one set of terms across platforms vendors and companies so if you're running a bug bounty you should have a legal a set of legal chirps not only is it important for the authorization it's also it's also important because you need to make sure you do not confuse the hacker there is no limitation to the testing then we should eliminate all paradoxical chirps so again ulis are for users because you must have anti hacking no reverse-engineering language so if you want to subject the hacker to the

EULA make sure that you have a provision explaining what governs in case there is a conflict because in most cases there will be a conflict the next step is to increase the salience of legal terms ladies and gentlemen and especially hunters this is the term that you need to know sailings is a term from consumer law that basically says that when consumer with their feet when hackers both with their fingers and they don't participate in programs with lacking terms then drafters have an incentive to change the term then the market police's the quality of the term so I have created a slogan say no to no safe harbor or sticker hackers no safe harbor don't participate vendor no safe harbor

don't launch the program and platforms I know these are your clients but there is no if there is no safe harbor that kind something don't launch a program like that on your platform without saying anything this is how we make the exception of safe harbor the standard now more and more companies are including this kind of a commitment that I call a personal safe harbor which is essentially saying that if the hacker is in scope if he follows the careful guidelines in terms of disclosure testing techniques etc then they will not pursue legal action but this is a contractual commitment clear authorization under the relevant law negates the foundation of the whole legal claim therefore it's more powerful

and here it's not just missing that the Department of Justice the people entrusted on CFAA enforcement they understand the risk of bagman teachers and they launched a framework they published it on July and they suggest that you should have clear authorization for in scope testing under the CFA I basically authorizing the access for the hunter and I worked on that and in my no legal advice capacity I added the DMCA and any applicable anti hacking laws because there are state anti hacking losses as well and if you want to follow up on this issue this is my get up project that Ed Overflow helped me with because I know little of github and you can find there basically all the

different safe harbor language I suggest in order to create standardization in this field now is that enough no because eight months has passed so in the depart sense the Department of Justice released their framework and since I have started speaking about these issues in DEFCON yet can you get how many programs until now adopted an explicit safe harbor like DOJ in their non-binding recommend a recommendation guidelines suggest any guesses from thousands of thousands of programs or at least to thousands any guesses my friends how many programs comply with the recommendations of DOJ - nice okay now I know because I track them I have a Hall of Fame for safe harbors in in my Hall

of Fame I only have two companies sorry three companies and Edie okay and Eddie's great and I love him but we need more companies as well so how do we change that how to create more and more adoption standards are the answer we create standardization of legal language across industries and platforms in light of the Department of Justice framework then we have one language like Creative Commons like open source this creates an industry benchmark to what is a good safe harbor it reduces the informational burden on the hackers because now they know how this kind of language should look like it also reduces transaction costs because now you have a template to go to your lawyers to your vendors and

suggest then we create a reputation system for the quality of bug bounty policies now we all know hackers have a reputation system right for the best hunters with signal what about a reputation system for the companies we need a system like that then we work on third-party authorization to include language in the contracts that authorize access and that make sure that that vendor your first party is aware that you are operating a bug bounty this is more complicated but I'm working with this with the community after that we work on education and simplify disclosures because the legal language I've seen is complicated and just a teaser it includes sometimes binding arbitration yes there is a bug bounty with binding arbitration

for example so we need to simplify the disclosure we need to educate the crowd the hackers about the wiggle risks involved in BA bounty and platforms have a responsibility to do that as well after we simplify disclosure and create more education platforms need to work on standardization by actively betting the terms and knowing in each program what is the legal risk the crowd is in doing that's also part of their responsibility they could be engaged in safeguarding the interests of the crowd they can actually take a commitment under contract law that in scope testing shouldn't be sued by the vendor so we have good news and bad news bad news there is a lot to be done

definitely but good news this is up to us this is contracts that we control we don't need a say for every forum we don't even need a DMCA exemption and the Copyright Office the people in this room and you know that I'm talking about you you have the power to change that because you control a lot of contracts so change could be made right now we just need to think or maybe start thinking about that individual hunter that wants to follow the rules but in but he is not a negotiation position so we need to speak and talk about this important message in his behalf and I wanna end with some hope my friends at Dropbox I hope I can call

them friends they recently launched a amazing really amazing policy with safe harbors in light of the Department of Justice framework they even they are even allowing third parties or other companies to copy/paste their language and they even have a DMCA safe harbor a waiver of DMCA claims now why I can't say I had nothing to do with it and if you are following my legal bug bounty project you might have seen that on Twitter but I think it says a lot about what this company does for and how much they care about hunters that is why in my paper that explores this issues I gave them a really big shout out and this is forever will be

documented in the paper and if you are not motivated by now to help me solve this because I'm just one person and I need all of your help then let me give you just one more story for motivation remember Kevin that guy that reported the vulnerability to DJI in the day that II tweeted about this mess that got a lot of media buzz the same day DJI launched the most comprehensive bug bounty policy legal safe harbor I've seen really some pro hunter stuff authorization under the CFAA the DMCA some really good stuff this means a lot about what this community has the power to do I am just one person I cannot do this alone and

I'm happy to say that more and more platforms and vendors has reached out to create a standard think about it for one second I first spoke about this issue at sky talks at Def Con last year the first question that I got was well have you ever heard about someone that got sued in a bug bounty then last year I told them well don't wait for the first story don't wait for it because the you know it's on the wall don't wait for it months later we hear about Kevin maybe if this community work together to push the conversation on safe harbors months ago well just maybe Kevin could have gotten his Tesla thank you very much you

can follow me on Twitter and continue this conversation you can follow legal bug bounty which is not legal advice and I encourage you to take action talk your many of you are involved in a bug bounty will be involved in a bug bounty ask your lawyer what is the risk talk to me talk with your lawyers take a look at the Department of Justice guidelines and take action to change this reality I'm open to your questions yes

I definitely know there is a lot of work done on that but if they believe in others there is an ISO standard that KD emissaries basically was very involved in creating I know that the Europeans are working on that coordinated vulnerability disclosure is on the rise I don't think there is a problem there I think there is a problem with the safe harbor for hackers because I've heard about code and vulnerability disclosure scan sideways because they don't have a commitment to the hacker and you are basically reporting providing evidence and you are just at their mercy so I think those both both of these conversations should go together right we can't just have you know white hat

disclosure with no ethical requirements on the company side that is not fair more questions yes so I can tell you that the big companies the bounty craft participants for those familiar and the platforms are well aware and they're actively doing stuff to change this and I want to complement them and encourage them and give them the credit for that it's just takes time I think the problem is ignorance on smaller programs and sometimes ignorance some of the lawyers and I'm very happy to say that now we have a Department of Justice guidelines basically for those lawyers to read and understand that this is not just a meet alazhari this is the crime division of your

federal government suggesting there is a problem here and you need the safe harbor or recommending to be exact to be correct so definitely and there is a problem where big companies are not taking the leadership in terms of really you know showing to this community how this should be done except Dropbox because small company they might not be in the business of suing hack white hat hackers the government might not be in the business of suing white but smaller companies that are now adopting bug bounties which are exploding and are not as mature in terms of you know legal department they might be doing that and then we see scenarios like we have seen yes we can take just

by the way we can take probably one more question and that's it and if you have any questions afterward feel free to come talk to the speaker afterward thank you so that I saw one yes yes according to reports

okay so what can you do in terms of the hunter and tours of the company either okay so this is not legal advice but and I'm not admitted in United States but this is why safe harbor are so important in that case according to reports in communications they in fact authorized that the bounty was in scope and therefore I think they had a very weak unauthorized CFAA claim because they already basically authorized access as to my understanding according to reports in this this is why it's important to have a commitment up front because then the company cannot waive that letter and legal threats in negotiations but you know goose goes both ways and this is

why if this is the rules in terms of disclosure if this is the rules in terms of rewarding in terms of security techniques this is your scope and if you're out of scope and there is long there is no language and it's this is not good faith violation of the scope and there is no language with respect to good path violation then you should know you are exposed as well so this is why I think clearer ization works well for both sides and we can keep this conversation going if I haven't answered your questions let's thank our speaker again thank you [Applause]