Jan 19, 201609:11 AMLegal Login
with Mindi Giftos
Bug bounty programs: Hacking for good or evil?
(page 2 of 2)
What do you do if you are contacted by someone claiming to be a bug bounty hacker?
If you are contacted — unsolicited — by a so-called security professional acting under the guise of the bug bounty program, we recommend taking the following steps:
- Determine whether your company has an established program. If your company participates in a bug bounty program and offers rewards, familiarize yourself with the requirements to see if the individual is in compliance. Typically, errors and bugs are reported only. If an individual actually scrapes data, they are likely not in compliance and have another agenda.
- Fix the bug. As soon as someone outside your organization is aware of the bug, your systems are vulnerable. Fix the hole as soon as you become aware of its existence.
- Fully evaluate the threat. Did the hacker offer proof that data was taken? If so, what data was compromised? Verify with your internal IT staff the data the hacker says he or she accessed. Consider hiring an outside forensic team to verify the scope of the breach and that remediation is complete.
- Contact an attorney. If personally identifiable data was taken, the breach may trigger notification requirements in each of the states or countries where your customers or employees reside.
- Consider developing a media plan. If you elect not to pay the amount demanded, there is risk that the hacker will go to the media. Prepare to address any allegations that your company’s systems are unsecured.
- Consider going to law enforcement. Many companies mistakenly believe that contacting law enforcement is always the first step in responding to a data breach. That is not always the case and should be done only after initial investigations and discussions with counsel.
- Consider whether paying the requested reward is reasonable. If the individual is acting legitimately under a bug bounty program, or has identified a vulnerability without exploiting it, it may be worth paying the modest bounty requested. However, if the individual appears to be acting on his/her own without any guidelines (or scruples), consider ignoring the request and mitigating the potential consequences that may come from it.
As with all pieces of the data security puzzle, it is critical to remain aware of bug bounty programs, as well as their risks. If you have further questions, please contact an attorney with knowledge of information technology issues.
Mindi Giftos is the managing executive of Whyte Hirschboeck Dudek S.C.'s Madison office. She practices in the areas of intellectual property and technology law, and leads WHD's Technology Law Team. She can be reached at email@example.com.
Ariane Strombom is an attorney with the law firm of Whyte Hirschboeck Dudek S.C. practicing in the areas of technology law and corporate transactions, and co-leads the International Transactions Team. She can be reached at firstname.lastname@example.org.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.