Bug bounty programs: Hacking for good or evil?
Obtaining cyber insurance, hiring trusted staff to ensure the safety of your information technology (IT) infrastructure, and adopting cutting edge security measures are just a few of the preemptive steps essential to preventing data breaches today. But even after these steps are taken, your company may still be vulnerable. “Bug bounty programs” are an additional tool companies can use to understand IT weaknesses before they become devastating breaches. These programs are occasionally abused, however, so it is important for every company to be aware of what these programs offer and what risks they present.
What is a bug bounty program?
Bug bounty programs are incentive programs offered by companies through which outside IT security professionals can receive recognition and, in most cases, compensation, for identifying and reporting errors or bugs that create system vulnerabilities. Essentially, individuals with the tools to hack IT systems find the vulnerabilities, but instead of exploiting those vulnerabilities, they report them to the company involved and often offer to assist in remediating the problem. The advantage of these programs is allowing companies to identify otherwise undiagnosed security problems before they are actually exploited by hackers and become public.
The first bug bounty program was started by Netscape in 1996. These programs have been gaining more and more traction recently with the looming threat of data breaches. Several companies throughout the world, such as Facebook and Google, take advantage of the benefits of bug bounty programs. While initially incentives for reporting bugs was relatively minimal, today many companies offer generous rewards to bug bounty hackers for finding system issues. For example, Google offers rewards ranging from $500 to more than $3,000 for the identification of vulnerabilities in Google’s operating system that are found in accordance with its bug bounty program guidelines.
What if my company doesn’t offer incentives, but I am contacted?
Many companies today do not have formal bug bounty programs or guidelines. However, this fact has not stopped independent “security professionals” from trying to exploit those systems in an attempt to gain a financial advantage.
Many companies are finding themselves in the uncomfortable predicament of discovering a data breach incident followed by a letter from a self-proclaimed bug bounty security professional. Those letters typically indicate that while data has been accessed and taken, it remains safe. The individual then requests $5,000 to $25,000 for finding the problem. They also typically offer to assist in remediating the problem.
In these instances, the bug bounty program appears to be more of an extortion attempt than a benevolent hand in the fight against hackers. This is particularly unsettling where the “security professional” has taken personally identifiable information, such as credit card or Social Security numbers, and threatens to publicize the security breach or sell the information to the highest bidder if the hacked company does not pony up to pay the demanded amount.
What do you do if you are contacted by someone claiming to be a bug bounty hacker?
If you are contacted — unsolicited — by a so-called security professional acting under the guise of the bug bounty program, we recommend taking the following steps:
- Determine whether your company has an established program. If your company participates in a bug bounty program and offers rewards, familiarize yourself with the requirements to see if the individual is in compliance. Typically, errors and bugs are reported only. If an individual actually scrapes data, they are likely not in compliance and have another agenda.
- Fix the bug. As soon as someone outside your organization is aware of the bug, your systems are vulnerable. Fix the hole as soon as you become aware of its existence.
- Fully evaluate the threat. Did the hacker offer proof that data was taken? If so, what data was compromised? Verify with your internal IT staff the data the hacker says he or she accessed. Consider hiring an outside forensic team to verify the scope of the breach and that remediation is complete.
- Contact an attorney. If personally identifiable data was taken, the breach may trigger notification requirements in each of the states or countries where your customers or employees reside.
- Consider developing a media plan. If you elect not to pay the amount demanded, there is risk that the hacker will go to the media. Prepare to address any allegations that your company’s systems are unsecured.
- Consider going to law enforcement. Many companies mistakenly believe that contacting law enforcement is always the first step in responding to a data breach. That is not always the case and should be done only after initial investigations and discussions with counsel.
- Consider whether paying the requested reward is reasonable. If the individual is acting legitimately under a bug bounty program, or has identified a vulnerability without exploiting it, it may be worth paying the modest bounty requested. However, if the individual appears to be acting on his/her own without any guidelines (or scruples), consider ignoring the request and mitigating the potential consequences that may come from it.
As with all pieces of the data security puzzle, it is critical to remain aware of bug bounty programs, as well as their risks. If you have further questions, please contact an attorney with knowledge of information technology issues.
Mindi Giftos is the managing executive of Whyte Hirschboeck Dudek S.C.'s Madison office. She practices in the areas of intellectual property and technology law, and leads WHD's Technology Law Team. She can be reached at firstname.lastname@example.org.
Ariane Strombom is an attorney with the law firm of Whyte Hirschboeck Dudek S.C. practicing in the areas of technology law and corporate transactions, and co-leads the International Transactions Team. She can be reached at email@example.com.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.