Watch the full webcast here: https://pages.bugcrowd.com/bug-bounty-logistics-legalities
Join Jim Denaro, founder of Cipher Law, and Casey Ellis, Founder, and CEO of Bugcrowd, to drill into many of those questions. Whether you're skeptical about the safety and legality of bug bounty programs, or your legal team is, this webcast will arm you with answers to some frequently asked questions...
What security and privacy controls does Bugcrowd have in place?
Is using Bugcrowd as safe as running a “traditional” penetration test?
Are security researchers testing under a contract or held to terms & conditions?
What happens if there is a rogue hacker in the crowd? Who is held responsible?
As a manager of a bug bounty program, can I be held personally liable?
What about compliance?
In addition to exploring these questions, we'll discuss general legal implications that both companies and bug hunters should be considering, as well as answer individual questions you may have.
2. Speakers
2
Casey Ellis
Founder & CEO, Bugcrowd
An innovator in crowdsourced security testing for the
enterprise, Bugcrowd harnesses the power of more than
29,000 security researchers to surface critical software
vulnerabilities. Bugcrowd provides a range of vulnerability
disclosure and bug bounty programs that allow organizations
to commission a customized security testing program that fits
their needs.
James Denaro
Attorney, Founder of Cipher Law
CipherLaw is a high-technology law firm providing strategic
counseling to innovators in information security and defense
technologies, including C4ISR (command, control,
communications, computers, intelligence, surveillance and
reconnaissance). With offices in Washington, DC and Los
Gatos, California, we provide counseling on intellectual
property, patent, contract, transactional, and litigation matters.
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
3. Bug Hunting and the Law: Your Questions Answered
Outline
• Introductions
• Current State of Cyberlaw
• Legal Questions & Concerns that come up with Security Researchers
• FAQs
• The crowd
• Liability
• Compliance
3
4. Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
4
Risk and reward
5. Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
The Foundation:
Bounty Brief:
• Scope
• Out of Scope
• Rules
• Invitation
= Contract
5
6. Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
6
Regulation
7. Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
FAQs
8. Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
Questions about the Crowd
29,000 Hackers, 112 Countries Represented, Varying skill level & expertise
FAQs:
• Rules and Policies
• Contracts & NDAs
• Rogue Hackers?
• Public Disclosure Incidents
*Most important thing to remember - It’s not them against you, but them and you
8
9. Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
Liability Concerns
FAQs:
• Who is liable for security researchers?
• Who is held liable for any damages incurred
from bad behavior?
• Personal liability?
9
10. Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
Compliance Questions
Current compliance guidelines impacting cybersecurity:
• PCI
• HIPPA
• Safe Harbor
Bugcrowd’s Response
• Private Programs
• More controlled environment
• Elite Researchers
10