Legal bug bounty

Authored by Amit Elazari.

This is the #legalbugbounty standardization project. As Amit Elazari explains in her Enigma talk and her papers - the legal landscape of bug bounties is currently lacking. Safe harbor is the exception, not the standard and thousands of thousands of hunters are put in "legal's" harm way. I've suggested that bug bounty legal terms, starting with safe harbor, could and should be standardized. Once standardization of bug bounty legal language is achieved, the bug bounty economy will become an alternate private legal regime in which white-hat hacking is celebrated through regulatory incentives.

Standardization will start a race-to-the-top over the quality of bug bounty terms. This project, supported by CLTC, aims to achieve standardization of bug bounty legal terms across platforms, industries and sponsors, in line with the DOJ framework, and akin to the licenses employed by Creative Commons and the open source industry. This will reduce the informational burden and increase hackers’ awareness of terms (salience). It could also signal whether a particular platform or company conforms with the standard terms that are considered best practice.

Finally, it could reduce the drafting costs of the platform or sponsoring program, as well as the transactional costs. While some organizations (such as governmental or financial organizations) might require adjustments, generally the legal concerns of bug bounties’ sponsors and platforms are similar and could be addressed in standardized language. Moreover, standardization should be used to ensure that hackers have authorized access to any third-parties data or components implemented in the bug bounty administrator product/network, and to facilitate coordinated disclosure of third-party vulnerabilities found (and ethically disclosed). Companies and platforms should coordinate to ensure that such clauses are included in all terms, facilitating a best practice mentality in the industry.

The benefits of standardization in bug bounties/CVDs of legal language across industries and platforms in light of DOJ framework

• One language of safe harbor akin to Creative Commons/Open Source;
• Create an industry standard that will serve as a benchmark and signal to hackers if companies don’t adopt it;
• Reduce the informational burden and increase hackers’ awareness towards terms;
• Reduce transaction and drafting costs;
• Create a reputation system for legal terms.

⚖ Legal disclaimer

⚠ You must consult with a lawyer.

This report does not constitute legal advice and the author is not admitted to practice law in the U.S. The information contained herein is for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Given the changing nature of laws, terms, rules and regulations, there may be delays, omissions or inaccuracies in information contained herein. Accordingly, the information is provided with the understanding that the author is not herein engaged in rendering legal or other professional advice and services. As such, it should not be used as a substitute for consultation with professional legal or other competent advisers. Before making any decision or taking any action, you should consult a professional. All information is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. In no event will the author be liable to you or anyone else for any decision made or action taken in reliance on the information herein or for any consequential, special or similar damages.

About this project

The #legalbugbounty project is supported by CLTC, UC Berkeley.

Authored by Amit Elazari.