Private Ordering Shaping Cybersecurity Policy: The Case of Bug Bounties
An edited, final version of this paper in Rewired: Cybersecurity Governance, Ryan Ellis and Vivek Mohan eds. Wiley, 2019
42 Pages Posted: 2 May 2018 Last revised: 14 Oct 2019
Date Written: April 12, 2018
Security vulnerabilities are becoming the new oil. Mega-corporations and leading nations are struggling alike to address the ever-expanding cyber risk, as news of cyberattacks and data breaches are consuming the press, making top headlines. Never before the market for vulnerabilities has seen such prosperity. One result of this cyber chaos reality, is the proliferation of “bug bounties” programs in which security researchers legally trade newly discovered vulnerabilities for monetary and reputational rewards. This practice of organizations inviting individual hackers to perform penetration testing is becoming a best practice in cybersecurity and is expanding across industries and governmental organizations. While legislators, policymakers and courts continue to struggle to facilitate white and grey hat hacking, under murky and overbroad anti-hacking laws, industry, through form-contracts and market mechanisms created an alternative regime to foster security research. Yet, as this paper will show, that regime isn’t perfect. The rules of the emerging “bug bounty” economy are mainly dictated by companies and intermediary “platforms”, using multiple layers of unilaterally drafted “take-it-or-leave-it” terms, that often put hackers in “legal” harm’s way -- shifting the risk for civil and criminal liability towards hackers instead of authorizing access. That said, it is a step forward: a case study illuminating the growing and often unobserved role private ordering plays in shaping the cybersecurity regulatory landscape. Bug bounties programs through contracts invite more than 120,000 hackers to legally trade vulnerabilities for reputational and monetary rewards. Without form-contracts this emerging bug bounty economy wouldn’t be sustainable. Yet, more must be done to ensure bug bounties truly operate as the safe harbor they claim to be and serve their function as an alternative to the black market. This paper briefly illuminates the current problems in the bug bounty privately-ruled regulatory landscape and suggest steps to improve the quality of bug bounty legal terms in order to truly foster ethical hacking.
Keywords: cybersecurity, bug bounties, private ordering, vulnerabilities sharing
Suggested Citation: Suggested Citation