Some companies offer monetary rewards to so-called “white hat” hackers to find security bugs in the company’s systems. These “bug bounties” can prove useful in identifying vulnerabilities and preventing breaches. Care must be taken, however, that a bug bounty transaction doesn’t devolve into a situation in which sensitive data of the company (or its customers) is held for a large ransom.
Consider the 2016 Uber breach of approximately 57 million users and drivers. Hackers found login credentials in a code repository and used them to access Uber’s backup file on an Amazon server. Uber paid $100,000 to retrieve the data, an amount ten times greater than the company’s highest published bug bounty. The incident only became public in December 2017. Uber is now facing investigation by attorneys general of at least six states. In addition, earlier this month, Uber’s CEO and CIO were called to testify before the U.S. Senate Commerce.
Bug bounty programs should be operated within strict parameters and in compliance with applicable laws and regulations, including state data breach notification laws.
© 2018 Ossian Law P.C.