The law firm of Morrison & Foerster has been providing cutting-edge legal advice on matters that are redefining practices and industries. It was founded in 1883, and now has approximately 1,000 attorneys staffing 16 offices from Beijing to Berlin and San Francisco to Singapore.
The firm, better known as MoFo, is known for being a leader in the areas of data security, privacy, global risk and crisis management, intellectual property, and regulatory issues — all areas intertwined with cybersecurity. Earlier this year, MoFo released an alert titled “Bug-Bounty Programs: A Valuable Tool to Be Used Carefully,” written by David Newman, which says that bug bounty programs “have come into favor because they represent a cost-effective ‘force multiplier’ that can augment existing efforts.” It also states, however, that “companies must be careful in how they design and implement these programs to avoid legal and reputational risk.”
David is of counsel in MoFo’s National Security and Global Risk & Crisis Management practices where he has extensive experience representing clients with national security, crisis management and government regulation issues. Prior to joining MoFo, David held several key posts at the White House, serving as Special Assistant and Associate Counsel to President Barack Obama and on the staff of the National Security Council.
We asked David a few questions related to his work for clients on hacker-powered security, as well as what he’s seeing in the field as more and more organizations launch both vulnerability disclosure policies (VDP) and bug bounty programs. Here’s what he had to say.
In your recent client advisory, Bug-Bounty Programs: A Valuable Tool to Be Used Carefully, you covered a wide range of items related to bug bounty program adoption. In your experience, how have you seen companies respond when a bug bounty program is suggested or discussed?
Bug bounty programs are increasingly standard, and companies no longer view them as foreign or strange. So many sophisticated players have embraced them (including the tech giants and the U.S. Department of Defense), and when done right, they can be a cost-effective way to reinforce a company’s existing cybersecurity efforts and to avoid a much more costly problem down the road. Companies should also appreciate that they may be contacted by outside researchers about vulnerabilities whether they have a formal program in place or not, so establishing a program is a way to provide a structure and process for those interactions to occur in a positive way.
Is it typically hard to get corporate counsel on board with a bounty program? What are their initial/typical concerns?
In-house attorneys recognize that these programs are increasingly standard fare and add value. But given their role, they also see the risks of not getting the design and execution right. In particular, they are sensitive to the challenges of ensuring that these programs are compliant with applicable data privacy regimes and that bounties are paid in a way that minimizes legal and reputational risks, and they welcome outside advice in terms of the right way to navigate those considerations.
How should companies approach the simple first step of launching a vulnerability disclosure policy for the external research community to, in the words of former U.S. Secretary of Defense Ash Carter, give a legal avenue to a good citizen to “See something, say something”?
A key step early on is to bring together all of the relevant stakeholders in the organization — the GC’s office, the CISO team, and others on the business side — to discuss what network and data components should be included in the program, what resources are available to support it, and how it fits with the organization’s overall security efforts. The exercise of drafting the terms of the program can be invaluable in ensuring that everyone is on the same page and that clear lanes responsibility exist for supporting the programs and making decisions.
Do you think the legal view of VDPs and bounty programs has evolved over the past year or so? If so, how?
Companies have become more aware of the importance of being rigorous and thoughtful in terms of how these programs are designed and the value of seeking advice before making a large payment or responding to an edge case. Often, that awareness comes from a specific event in which the company is contacted about a vulnerability in a way that highlights an ambiguity in their current program and that makes them wish they had a more defined set of policies and procedures in place.
Where do you see it evolving to in the next year?
I expect companies will continue to become more sophisticated in terms of how they operate the programs, which includes putting in place a more formal process internally and a clearer set of public-facing terms. Another big focus in the coming year will be analyzing these programs in the context of applicable U.S. and overseas privacy regimes, including GDPR.
In your Bug-Bounty Programs: A Valuable Tool to Be Used Carefully alert, you highlighted areas of note for companies to pay special attention when considering a bounty program. Are there any that you’d like to re-emphasize as particularly important?
The crux of that post was that companies are well served by being thoughtful and clear in advance about what systems their programs cover, how they will operate, who is responsible for making decisions, and in what circumstances they would pay a bounty. This requires work, but the challenges are greatly magnified when decisions are made in the context of specific incident (and often on a very compressed time frame) rather than thought through and discussed at the right levels in advance.
The alert recommends that people review the guidance provided by the many government organizations. Does the proliferation of government agency guidance and adoption to-date signal anything in your view?
The proliferation of government guidance reinforces the broad acceptance of these programs by regulators. Government agencies see that these programs are out there and add value and are trying to offer practical guidance on how to do them the right way. While these guidance documents typically do not have the force of law, companies benefit from drawing upon them because they often highlight sector-specific concerns and because there is value in being able to later explain that the choices made were informed by public guidance.
Switching to the other side of VDPs and bounty programs, what should hackers be thinking about when they stumble across a vulnerability or participate in a bounty program?
It is important to view things from the company’s perspective and to consider the way that any approach will be seen by the company. Among other things, a company must be vigilant for any suggestion that its data has been improperly exfiltrated or misused and has obligations to protect its information.
Final, most vital question for you: What’s your favorite hacker movie?
So many good choices out there these days, but I first watched WarGames with my Dad 30+ years ago – and would still have to rank it #1. It’s aged better than many others.
To connect with David, you can visit his profile on MoFo.com. Interested in getting started or learning more about hacker-powered security? Contact us today or read more in our Resources section (the 5 critical components to a VDP guide is a good one to start with).
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.