Want safe harbor? Sign this NDA
Sign this NDA to report a security issue or we reserve the right to prosecute you under the Computer Fraud and Abuse Act (CFAA) and put you in jail for a decade or more. That's the message some organizations are sending with their private bug bounty programs.
Take PayPal. The VDP on its website tells all bug finders to create an account on HackerOne and agree to the terms and conditions of their private bug bounty program, including the NDA. If you report a bug any other way, PayPal explicitly refuses to offer safe harbor to bug hunters.
"You won't find VDPs on HackerOne that don't permit any type of disclosure," Rice tells CSO, which at least in the case of PayPal appears not to be true. PayPal's VDP shoehorns every bug reporter into its private bounty program on HackerOne, and the only way to report a bug in good faith with zero expectation of a bounty is to agree to that private program's NDA. (HackerOne's website may label the program a "private bug bounty" instead of a "VDP," but it remains the sole published way to report a security flaw to PayPal at the time of this writing.)
The PayPal terms, published and facilitated by HackerOne, turn the idea of a VDP with safe harbor on its head. The company "commits that, if we conclude, in our sole discretion, [emphasis ours] that a disclosure respects and meets all the guidelines of these Program Terms and the PayPal Agreements, PayPal will not bring a private action against you or refer a matter for public inquiry."
The only way to meet their "sole discretion" decision of safe harbor is if you agree to their NDA. "By providing a Submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without PayPal’s prior written approval."
HackerOne underscores that safe harbor can be contingent on agreeing to program terms, including signing an NDA, in their disclosure guidelines. Bug finders who don't wish to sign an NDA to report a security flaw may contact the affected organization directly, but without safe harbor protections.
"Submit directly to the Security Team outside of the Program," they write. "In this situation, Finders are advised to exercise good judgement as any safe harbor afforded by the Program Policy may not be available."
Rice says HackerOne discourages such conduct from customers and will kick companies off the platform if they take "unreasonable punitive action against finders," such as making legal threats or referring a finder to law enforcement. He points out that earlier this week HackerOne removed online voting vendor Voatz from the platform, the first time HackerOne has removed a customer from the platform. PayPal did not respond to our request for comment.
However, security researchers concerned about safe harbor protection should not rest easy with most safe harbor language, Electronic Frontier Foundation (EFF) Senior Staff Attorney Andrew Crocker tells CSO. "The terms of many bug bounty programs are often written to give the company leeway to determine 'in its sole discretion' whether a researcher has met the criteria for a safe harbor," Crocker says. "That obviously limits how much comfort researchers can take from the offer of a safe harbor."
"EFF strongly believes that security researchers have a First Amendment right to report their research and that disclosure of vulnerabilities is highly beneficial," Crocker adds. In fact, many top security researchers refuse to participate on bug bounty platforms because of required NDAs.
Fed up with bug bounty NDAs
Tavis Ormandy, the well-respected security researcher at Google Project Zero, declined to be interviewed for this article, but has previously taken a strong public stance against NDAs. In 2019 he tweeted, "I refuse to agree to terms before reporting a vulnerability," adding in a follow-up tweet, "It's like saying you're going to make a truthful, verifiable and reproducible claim about a product, but willing to give the vendor a short window to make changes first if they wish to do so. No requirement to act if they don't want to or don't care."
He's not the only security researcher who refuses to be muzzled. Varun Kakumani, recently in the news for trying to report a security flaw to Netflix that Bugcrowd triagers marked as out of scope, tells CSO that, despite being a veteran bug finder listed in the Google, Microsoft, Yahoo, Adobe and eBay halls of fame, he will never work for the bug bounty platforms and only submitted via BugCrowd because Netflix outsources its VDP to that platform.
"There is no use of bug bounties these days," Kakumani tells CSO. "It's like a game for many people. Just follow their stupid rules and get paid. There is no value for true hacker's work these days."
Kevin Finisterre (@d0tslash), the DJI drone bug finder who famously walked away from a $30,000 bounty because the vendor demanded an NDA to cover up a data breach, doesn't mince his words about bug bounties. "Enticing me to participate in bounties at this phase in my career is a hard sell," he tells CSO. "The economy of doing bounty work makes zero sense for me in most cases."
Labor law violations
After getting burned by DJI, Finisterre now works full time doing security for an autonomous vehicle division of a large auto manufacturer and suggests bug bounties are more for younger, less established people looking to get noticed. He says that bug bounty platforms are exploiting hackers. "Most egregious to me is many of us are some form of on [the autism] spectrum and we will literally work ourselves to death hunting bugs ultimately for little return on immediate efforts," he says, adding, "No one ever mentions the lack of health insurance...."
Health insurance in the US is typically provided by employers to employees, and not to independent contractors. However, legal experts tell CSO that the bug bounty platforms violate both California and US federal labor law.
California AB 5, the Golden State's new law to protect "gig economy" workers that came into effect in January 2020, clearly applies to bug bounty hunters working for HackerOne, BugCrowd and SynAck, Leanna Katz, an LLM candidate at Harvard Law School researching legal tests that distinguish between independent contractors and employees, tells CSO.
AB 5 uses a human-readable "ABC test" to determine if a worker is an employee or independent contractor under California law. "It is unlikely that all three elements [of the ABC test] of control, work outside the usual course of business, and independently performing the same work are met," Katz says. "Thus...hackers are likely employees under California's laws."
Veena Dubal, a law professor at University of California, Hastings, and an expert on labor law who researches the gig economy, agrees with Katz's analysis. She says that the bug bounty platforms also violate the US Federal Labor Standards Act (FLSA) that requires employers to pay a minimum wage.
Consider a finder who spends weeks or months of unpaid work to discover and document a security flaw. Someone else independently discovers, documents and submits that same bug five minutes before the first finder. Under the rules of most HackerOne and BugCrowd bounty programs, the first submitter gets all the money, the second finder gets nothing.
"My legal analysis suggests those workers [on bug bounty platforms] should at least be getting minimum wage, overtime compensation, and unemployment insurance," Dubal tells CSO. "That is so exploitative and illegal," she adds, saying that "under federal law it is conceivable that not just HackerOne but the client is a joint employer [of bug finders]. There might be liability for companies that use [bug bounty platform] services."
"Finders are not employees," Rice says, a sentiment echoed by Bugcrowd founder Ellis and SynAck founder Jay Kaplan. SynAck's response is representative of all three platforms: "Like many companies in California, we're closely monitoring how the state will apply AB 5, but we have a limited number of security researchers based in California and they represent only a fractional percentage of overall testing time," a SynAck representative tells CSO.
Using gig economy platform workers to discover and report security flaws may also have serious GDPR consequences when a security researcher discovers a data breach.
Bug bounty platforms may violate GDPR
When is a data breach not a data breach?
When a penetration testing consultancy with vetted employees discover the exposed data.
A standard penetrating testing engagement contract includes language that protects the penetration testers — in short, it's not a crime if someone asks you to break into their building or corporate network on purpose, and signs a contract indemnifying you.
This includes data breaches discovered by penetration testers. Since the pen testers are brought under the umbrella of the client, say "Company X," any publicly exposed Company X data discovered is not considered publicly exposed, since that would legally be the same as a Company X employee discovering a data breach, and GDPR's data breach notification rules don't come into play.
What about unvetted bug bounty hunters who discover a data breach as part of a bug bounty program? According to Joan Antokol, a GDPR expert, the EU's data breach notification regulation applies to bug bounty platforms. Antokol is partner at Park Legal LLC and a longstanding member of the International Working Group on Data Protection in Technology (IWGDPT), which is chaired by the Berlin Data Protection Commissioner. She works closely with GDPR regulators.
"If a free agent hacker who signed up for a project via bug bounty companies to try to find vulnerabilities in the electronic systems of a bug bounty client (often a multinational company), was, in fact, able to access company personal data of the multinational via successful hacking into their systems," she tells CSO, "the multinational (data controller) would have a breach notification obligation under the GDPR and similar laws of other countries."
The lack of vetting of bug bounty hunters, where anyone, including this reporter, can sign up for a HackerOne or BugCrowd account with any email address, is the key sticking point, Antokol says. "There is really no way around it when the bug bounty companies collect little more than a name (and perhaps a fictitious one at that) of the presumably ethical hacker, along with their wire transfer information or an address for the bug bounty company to send them a payment," Antokol says. "Even if the bug bounty company or multinational was able to obtain a certification from the successful hacker about no misuse of the personal data, full and irreversible erasure of the data, no sharing, of the data, etc., they would not be able to ensure credibility or accountability of the hacker, so it would essentially be a sham."
With proper GDPR compliance in place, though, Antokol says, the notification obligation could perhaps be avoided.
Read more on the next page...