Post on 15-Jan-2017
Crowdsourced Cybersecurity
Bug Hunting and the Law: Your Questions AnsweredJim Denaro + Casey Ellis
Speakers2
Casey EllisFounder & CEO, Bugcrowd
An innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of more than 29,000 security researchers to surface critical software vulnerabilities. Bugcrowd provides a range of vulnerability disclosure and bug bounty programs that allow organizations to commission a customized security testing program that fits their needs.
James DenaroAttorney, Founder of Cipher Law
CipherLaw is a high-technology law firm providing strategic counseling to innovators in information security and defense technologies, including C4ISR (command, control, communications, computers, intelligence, surveillance and reconnaissance). With offices in Washington, DC and Los Gatos, California, we provide counseling on intellectual property, patent, contract, transactional, and litigation matters.
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
Bug Hunting and the Law: Your Questions Answered
Outline
• Introductions
• Current State of Cyberlaw • Legal Questions & Concerns that come up with Security Researchers
• FAQs • The crowd • Liability • Compliance
3
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
4
Risk and reward
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
The Foundation:
Bounty Brief:• Scope • Out of Scope • Rules • Invitation
= Contract
5
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
6
Regulation
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
FAQs
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
Questions about the Crowd
29,000 Hackers, 112 Countries Represented, Varying skill level & expertise
FAQs:• Rules and Policies • Contracts & NDAs • Rogue Hackers? • Public Disclosure Incidents
*Most important thing to remember - It’s not them against you, but them and you
8
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
Liability Concerns
FAQs: • Who is liable for security researchers? • Who is held liable for any damages incurred
from bad behavior? • Personal liability?
9
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
Compliance Questions
Current compliance guidelines impacting cybersecurity: • PCI • HIPPA • Safe Harbor
Bugcrowd’s Response • Private Programs
• More controlled environment • Elite Researchers
10
QUESTIONS?
Bug Hunting and the Law: Your Questions Answered +1 415 867 5351 casey@bugcrowd.com
Crowdsourced Cybersecurity