Data Privacy Considerations for Starting or Evaluating a Bounty Program
Data security officers typically look for security risks by monitoring reports from automated security systems, listening to employees’ reports of security issues, and/or auditing IT systems. There is a great deal of debate, however, about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum, some organizations refuse to discuss any aspect of their security with the public. On the other end of the spectrum, organizations proactively encourage the public to report security vulnerabilities by paying well-meaning hackers (usually called “white hat hackers” or “independent researchers”) to report problems. While these organizations view “bounty” programs as commonsense crowdsourcing, others view the concept of paying someone who has hacked a company’s system as extortion. As more companies move to establish bounty programs, third parties have begun to offer platforms or frameworks to help organize the programs. Some frameworks provide a forum in which companies can communicate with hackers; a method to facilitate payments to hackers; and guidelines for hackers to follow when identifying vulnerabilities and reporting them to participating companies.
The following provides a checklist for organizations that are considering starting a bounty program, or are evaluating the structure of their existing program.
If you do not enact a bounty program:
1. What are the practical implications if the organization views any hack as “unauthorized?”
2. What are the practical implications if a “white hat” hacker tries to breach your security with no guidelines on how they should act?
3. Is there a risk that individuals who know of a security vulnerability may provide that information to bad actors instead of providing it, first, to you?
4. Is there a risk that individuals who know of a security vulnerability may provide that information to the media or to regulators instead of providing it, first, to you?
5. Would the organization view an unsolicited request for payment by a hacker as extortion?
If you do enact a bounty program:
1. Will you be encouraging more breaches to your system?
2. Do you have confidence that you can track/monitor successful participants?
3. Will all of your systems be “in scope” for the bounty program?
4. Should certain forms of attack be prohibited (e.g. denial of service attacks)?
5. Will employees be eligible to participate?
6. Will the program be focused on weaknesses to the security of sensitive personal information, to the performance of IT infrastructure, or to both?
7. Will you proactively disclose the level of compensation that a participant should expect?
8. What conditions of confidentiality will you impose on participants?
9. How can you avoid the unintentional access or acquisition of sensitive personal information?
10. How will you receive and document security vulnerabilities?
11. Will you utilize a third party that manages, hosts, or provides a framework for your program?
The following provides a snapshot of information regarding bounty programs.
The number of organizations that have established data security bounty programs.1
The percentage of bounty programs that pay a bounty.2
One of the largest maximum rewards offered through a bounty program.3
Typical range of rewards offered for programs that pay monetary compensation.
 Statistics from Vulnerability Laboratory, Bug Bounties, Rewards, and Acknowledgements, http://vulnerability-lab.com/list-of-bug-bounty-programs.php.
 Based upon review of data obtained from vulnerability labs, infra.
 Google Chrome posted maximum for compromise of a Chromebook, https://www.google.com/about/appsecurity/chrome-rewards/index.html.