Hacking the Law: Are Bug Bounties a True Safe Harbor?

Thursday, January 18, 2018 - 9:30 am10:00 am

Amit Elazari, Doctoral Candidate, Berkeley Law, Research Fellow, CTSP, Berkeley School of Information


While the bug bounty economy is booming, a novel survey of bug bounty terms reveals that platforms and companies sometimes put hackers in “legal” harm’s way, shifting the risk for civil and criminal liability towards hackers instead of authorizing access and creating “safe harbors.” This is a call for action to hackers to unite, negotiate and influence the emerging landscape of cyberlaw, since hackers’ actions speak louder than scholars’ words. I suggest simple steps that could and should be taken in order to minimize the legal risks of thousands of hackers participating in bug bounties and create a “race-to-the-top” competition over the quality of bug bounty terms. I further suggest that the industry should move towards standardization of legal terms, especially in light of the recent DOJ framework. Hackers will learn not only which terms they should beware of in light of recent developments in anti-hacking laws, but which terms they, individually and through the platform, should demand to see to ensure “authorized access.” Most importantly, this is a case study of how a united front of hackers could demand and negotiate important rights, similar to what is done by organizations in other industries. Contracts and laws will continue to play a role in the highly regulated cyber landscape, conflicts of interests will inevitably arise, therefore hackers should not only pay attention to the fine print, but unite and negotiate for better terms.

Amit Elazari, Doctoral Candidate, Berkeley Law, Research Fellow, CTSP, Berkeley School of Information

Amit is a doctoral law candidate at Berkeley Law, one of the world’s leading institutions in law and technology, and a Research Fellow at CTSP, Berkeley School of Information. Her work on Cyberlaw and Intellectual Property has been published in the Canadian Intellectual Property Journal, Berkeley Technology Law Journal (BTLJ) and Berkeley Business Law Journal blogs and presented in leading security, Internet Law and IP conferences. Additionally, Amit serves as the submissions editor of BTLJ, the world’s leading IP and Tech Law Journal and as professors Deirdre Mulligan and Kenneth Bamberger, leaders in cyber law, and Professor Peter Menell, a leader in copyright law, research assistant. On 2017, Amit moderated a Key-Note session at the Women in Cyber Security 2017 (WiCyS) conference and presented her research on bug bounties at BsidesLV and Defcon (Skytalks).

@inproceedings {208177,
author = {Amit Elazari},
title = {Hacking the Law: Are Bug Bounties a True Safe Harbor?},
booktitle = {Enigma 2018 (Enigma 2018)},
year = {2018},
address = {Santa Clara, CA},
url = {https://www.usenix.org/node/208178},
publisher = {USENIX Association},
month = jan

Presentation Video