Crowdsourced Cybersecurity

Bug Hunting and the Law: Your Questions AnsweredJim Denaro + Casey Ellis

Speakers2

Casey EllisFounder & CEO, Bugcrowd

An innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of more than 29,000 security researchers to surface critical software vulnerabilities. Bugcrowd provides a range of vulnerability disclosure and bug bounty programs that allow organizations to commission a customized security testing program that fits their needs.

James DenaroAttorney, Founder of Cipher Law

CipherLaw is a high-technology law firm providing strategic counseling to innovators in information security and defense technologies, including C4ISR (command, control, communications, computers, intelligence, surveillance and reconnaissance). With offices in Washington, DC and Los Gatos, California, we provide counseling on intellectual property, patent, contract, transactional, and litigation matters.

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

Bug Hunting and the Law: Your Questions Answered

Outline

• Introductions

• Current State of Cyberlaw • Legal Questions & Concerns that come up with Security Researchers

• FAQs • The crowd • Liability • Compliance

3

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

4

Risk and reward

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

The Foundation:

Bounty Brief:• Scope • Out of Scope • Rules • Invitation

= Contract

5

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

6

Regulation

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

FAQs

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

Questions about the Crowd

29,000 Hackers, 112 Countries Represented, Varying skill level & expertise

FAQs:• Rules and Policies • Contracts & NDAs • Rogue Hackers? • Public Disclosure Incidents

*Most important thing to remember - It’s not them against you, but them and you

8

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

Liability Concerns

FAQs: • Who is liable for security researchers? • Who is held liable for any damages incurred

from bad behavior? • Personal liability?

9

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

Compliance Questions

Current compliance guidelines impacting cybersecurity: • PCI • HIPPA • Safe Harbor

Bugcrowd’s Response • Private Programs

• More controlled environment • Elite Researchers

10

QUESTIONS?

Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com

Crowdsourced Cybersecurity