To learn more about how legal teams and federal enforcers view hacker-powered security, we invited Megan Brown, partner, and Matthew Gardner, attorney, from the Privacy & Cybersecurity Practice at Wiley Rein LLP, a Washington, DC-based firm to present Invitation to Hack: Vulnerability Disclosure Programs.
Joined by Alex Rice, HackerOne’s Co-Founder and CTO for discussion and Q&A, the webinar was an amazing value to all attendees - and we want to share the wealth of knowledge with you to! You can watch a replay of this webinar and view or download the slides from slideshare or read our recap below.
Introduction: Legal “grey area”
Megan and Matt jumped right in, quickly addressing the “legal grey area” in which ethical hackers operate. They noted that white hat hackers run the risk of violating various laws, most notably the Computer Fraud and Abuse Act, which creates civil and criminal penalties for unauthorized access of any protected computer. There’s also the potential of violating copyright protections. But, it’s all still a grey area.
“[The Computer Fraud and Abuse Act] does not include any exceptions for people who have a good motive,” said Matthew. “If you have great intentions, and your whole goal is to hack into something in order to alert someone to a vulnerability, that’s still a crime.”
The Feds 💗 Hacker-Powered Security
But federal entities are beginning to embrace ethical hackers, and they’re even pushing organizations to take a more friendly approach to hackers and vulnerability disclosure programs (VDPs). “What we have seen lately is a real trend towards these programs,” said Megan. “They're becoming more accepted, and indeed expected, in certain areas.”
VDPs and bug bounty programs serve to clarify the rules of engagement and the “good faith” approach to testing a company’s systems or products. What that means is, legally, if hackers stay within the bounds of the program, they they can stay on the good side of the law.
“Given the sensitivities and potential liabilities, companies are understandably wary about public disclosure and about how to deal with hackers that may have varied motives,” added Megan. “But a lot of companies have decided now that the benefits of encouraging research to improve their actual security related to products and services are worth the risk.”
There’s also the opposite aspect to consider, the situation where well-meaning hackers attempt to disclosure a vulnerability but are ignored by a company. It’s a situation that could create future problems for the company, both legally and with any vulnerabilities discovered later.
Megan recounted a case involving a hospitality company in which they apparently ignored past disclosure attempts. When they were eventually breached by malicious actors, “the FTC [saw] a perceived failure by the hacked company to take action after the first or second problem,” Megan explained.
“So I think when a company gets reports of vulnerabilities or problems, there is an expectation that they will do something about them. Because if you don't address it, and six months later it results in a bigger problem, it's going to be very frustrating to an enforcement agency or a regulator.”
“The FTC has also issued statements discussing the importance of vulnerability disclosure programs,” added Matthew. “And I think that there is becoming more of a trend for companies to either have one, or have an explanation for why they don't have one.”
In fact, many government enforcement agencies and regulators are promoting the benefits of hacker-powered security. The National Telecommunications and Information Association (NTIA), for example, went so far as to organize a “multi-stakeholder process” for Coordinated Vulnerability Disclosures. And, the Federal Trade Commission released a “Start with Security” guide, which recommends having a VDP.
Start Small, But Start Now
Ultimately, hacker-powered security is fast becoming a critical component of corporate, industrial, and government security. But it’s still a new to most organizations, which is why it’s a best practice to start small, and the first step is with a VDP.
“Companies that lack a clear vulnerability disclosure program are at increased risk should a security researcher find a vulnerability, which then they may disclose in a chaotic manner,” said Megan. “So if the company decides to adopt a program, it needs to know what options are available and build a program that's tailored to its situation.”
Organizations also need to be prepared for incoming vulnerability reports, which might put a burden on your already busy internal teams. “When you open the door to negative reporting, you're going to get some negative reports,” said Megan. “This may be more than you want to bite off. This is where I think HackerOne can be of some assistance.”
Having the support of government entities and attorneys shows that hacker-powered security is here to stay. But, even more, the effectiveness of VDPs and bug bounty programs is something everyone can get behind. “It does make some sense to sort of almost crowdsource your security, to have the people who are both interested in this and capable of it look at your products and services and have a way to communicate with them,” Megan concluded.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.