Kendra Albert, Albert Sellars LLP
Thirty years ago, a debate raged over whether vulnerability disclosure was good for computer security. On one side, full disclosure advocates argued that software bugs weren't getting fixed and wouldn't get fixed if companies that made insecure software wasn't called out publicly. On the other side, companies argued that full disclosure led to exploitation of unpatched vulnerabilities, especially if they were hard to fix. After blog posts, public debates, and countless mailing list flame wars, there emerged a compromise solution: coordinated vulnerability disclosure, where vulnerabilities were disclosed after a period of confidentiality where vendors can attempt to fix things. Although full disclosure fell out of fashion, disclosure won and security through obscurity lost. We've lived happily ever after since.
Or have we? The move towards paid bug bounties and the rise of platforms that manage bug bounty programs for security teams has changed the reality of disclosure significantly. In certain cases, these programs require agreement to contractual restrictions. Under the status quo, that means that software companies sometimes funnel vulnerabilities into bug bounty management platforms and then condition submission on confidentiality agreements that can prohibit researchers from ever sharing their findings.
In this talk, I'll explain how confidentiality requirements for managed bug bounty programs restrict the ability of those who attempt to report vulnerabilities to share their findings publicly, compromising the bargain at the center of the CVD process. I'll discuss what contract law can tell us about how and when these restrictions are enforceable, and more importantly, when they aren't, providing advice to hackers around how to understand their legal rights when submitting. Finally, I'll call upon platforms and companies to adapt their practices to be more in line with the original bargain of coordinated vulnerability disclosure, including by banning agreements that require non-disclosure.
Kendra Albert is a partner at Albert Sellars LLP, a public interest technology and media law firm. Prior to founding Albert Sellars, they spent seven years practicing and teaching students to practice technology law at the Cyberlaw Clinic at Harvard Law School. Kendra also served as the director of the Initiative for a Representative First Amendment from 2019 to 2024. They hold a J.D. cum laude from Harvard Law School and a B.H.A. in Theater and History from Carnegie Mellon University.
Outside of their law practice, Kendra writes and speaks on a broad range of issues related to gender, technology, and power. Their writing has appeared in The New York Times, Wired, Logic Magazine, and Tech Policy Press, as well as in academic venues such as FAccT, NeurIPS, Columbia Human Rights Law Review, Harvard Journal of Civil Rights and Civil Liberties, and the Yale Journal of Law and Technology. Kendra has also spoken at numerous conferences and events, including Blackhat (twice!), USENIX Enigma, the ALA Annual Conference, GDC, Rightscon, and ICLR. They serve on the program committee for USENIX Security.
In the past, Kendra was on the board of the ACLU of Massachusetts and Double Union, a feminist hackerspace in San Francisco. In 2024, Kendra co-hosted ComstockCon, a conference on the Comstock Act and attacks on bodily autonomy. They currently serve on the board of directors of the Tor Project, and as a guardrails advisor to the De|Center.
author = {Kendra Albert},
title = {Everything Old Is New Again: Legal Restrictions on Vulnerability Disclosure on Bug Bounty Platforms},
year = {2025},
address = {Seattle, WA},
publisher = {USENIX Association},
month = aug
}