U.S. Senate Hearing - Data Security and Bug Bounty Programs: Lessons Learned
Today, HackerOne was invited to testify in front of the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security. We are honored to join the Senate and leaders in our industry to discuss the role hackers can play in strengthening security.
The fallout from past breaches has done lasting damage to our trust in technology. This hearing and others like it are necessary if we are to learn from past incidents and work better together to protect consumers and their data.
For the first time in my life, an entire room of lawmakers were in awe of the valuable role hackers play in protecting us. Hackers have continually risen to this challenge despite obstacles and considerable personal risk. That tenacity speaks to their strength. The world is finally beginning to embrace an important truth: We need hackers.
In the hearing itself, the committee and a group of invited security experts shared insights on the value hackers provide alongside the differences between legitimate bug bounty programs and criminal breaches against the backdrop of the 2016 Uber Data Security Incident.
I've summarized the key points from the experts below, but those with an interest in this area will find their full statements are absolutely worthy of your time.
From the Senate Hearing
Justin pointed to the commitment by Consumers Union to provide more information to consumers about which companies have the best data security practices, such as through their work on the open source Digital Standard. This standard articulates the importance of hackers as a data security best practice:
"Consumers Union is a strong proponent of bug bounty programs, and believes that they play a crucial role in a data security ecosystem that has failed consumers far too often."
The statement pointed to the counterproductive tendency for companies to report security researchers to law enforcement. Absent a strong indicator of malicious intent in this incident, Justin complimented Uber for their restraint in not immediately escalating the hacker to law enforcement, but criticized Uber's decision to not provide timely notification to its users.
Ultimately, the recommendation focused on (1) additional resources and authority for the FTC to challenge shoddy data security practices and (2) stronger, clarified, and unified breach notification standard enacted at the federal level. We wholeheartedly agree.
Katie opened her statement with a reminder of the chilling effect existing laws have had on on security research for defensive purposes.
"In 2015, 94% of the Forbes Global 2000 had no published way to report a security hole to them. If you saw something, it was difficult to say something. It was even a risk to your freedom, if the organization chose to pursue legal action against you."
Katie explores the importance of a thoughtfully crafted vulnerability disclosure policy, highlighting the Department of Justice's recent Vulnerability Disclosure Framework as a best practice for protecting both consumers and well-intentioned researchers.
Katie closed her statement highlighting the powerful role the defense market can play in bolstering the cybersecurity workforce and encouraged the subcommittee members to support investments into security defense training & education.
The Uber CISO covered the importance of bug bounty programs at length, describing them as "a critically important tool and widely used as part of comprehensive data security programs". Since its initial launch, the Uber program has resolved more than 800 unique vulnerabilities, before they had the opportunity to become breaches.
"Uber’s bug bounty program unquestionably has increased the scale and speed at which we are able to identify and eliminate cybersecurity threats."
The 2016 Uber Data Security Incident "unfolded in a way that is entirely different from the typical bug bounty program scenario". The key distinction? "the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data."
This statement grants the public some valuable transparency into Uber's response process to this incident. This response to this incident got a lot right: containment, attribution, etc. But, critically, it sheds light on everyone's main question: why wasn't there a breach notification?
The statement provides a public admission that Uber reflects upon that decision as wrong. Four apologetically made no excuses for the lack of notification.
Four shared several additional lessons learned. In particular, he highlights the importance of a multi-stakeholder process for security incidents and the early involvement of law enforcement. He concludes with strong support for a unified, national approach to data security and breach standards.
We provided three recommendations aimed at safe harbor for hackers while they work to improve security:
First, the Computer Fraud and Abuse Act (CFAA), enacted in 1984, contains vague wording that has not kept pace with the internet. CFAA reform is urgently needed to create safe harbor for individuals that act in good faith to identify and report potential vulnerabilities.
Second, unifying the patchwork of breach notification laws enacted primarily at the state level with a harmonized and unambiguous federal standard could strongly benefit both consumers and companies alike. Those who participate in a good faith vulnerability disclosure policy must never be pulled into misguided legal proceedings.
Third, security best practices remain woefully inadequate across the industry. Consumer protection agencies (primarily the FTC) should receive further resources and empowerment from Congress. For example, all organizations entrusted with the safeguard of consumer data could, at a minimum, implement a vulnerability disclosure policy.
Practical Lessons Learned
Today's hearing served as validation that working alongside hackers is a necessary security practice. It also reaffirmed several best practices that HackerOne has long recommended to our customers. Anyone who is considering or already operating a bug bounty program should weigh the following recommendations:
Define Authorized. Every disclosure policy should speak to which activities are considered authorized, steps to avoid sensitive information, and how individuals should handle an unlikely encounter with sensitive information. The DoJ Vulnerability Disclosure Framework provides a solid reference, and we recommend the following template policy language:
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
If you do encounter Personally Identifiable Information (PII) contact us immediately, do not proceed with access, and immediately purge any local information.
Do not pay a bounty to a participant who has willfully violated program rules. On HackerOne, immediately "Request Mediation" if you suspect a hacker is acting in bad faith.
All bounty amounts should adhere to clear, published policies. Never increase bounty amounts in response to demands, opening the door to dangerous quid pro quo negotiations.
Contact law enforcement and a legal specialist if you believe you are being extorted or discovered a strong indicator of criminal intent. HackerOne will never knowingly assist with an extortion payment, unless under explicit instruction from law enforcement.
We also learned an important lesson. HackerOne has traditionally viewed our services as specializing in preventing data breaches, not incident response. We recognize the importance for us to be stronger partners in this area. Toward that goal, HackerOne will begin active steps toward helping our customers become incident-ready.
We need hackers. They are the immune system. HackerOne will continue to fight for a safe environment that enables hackers to do their best work.
Co-Founder & CTO, HackerOne