Download files
Abstract
This thesis examines some of the contractual legal risks to which security researchers are exposed in disclosing software vulnerabilities, under coordinated disclosure programs (“bug bounty programs”), to vendors and other bug bounty program operators.
On their face, the terms of these programs are purported to offer an alternative to security researchers to publicly disclosing or selling discovered bugs, which have significant value and potential for harm if used maliciously, to purchasers who do not intend to use them in order to fix the underlying issues in software. Historically, vendors have deployed a range of legal measures to discourage or eliminate such disclosure.
This thesis examines the terms of three popular bug bounty programs (Google, Department of Defence (hosted on HackerOne) and Facebook and considers their effect in the Australian jurisdiction. It examines issues including the application of unfair contracts legislation and unconscionability. It further examines three key case studies in which vendors have sought, or threatened to seek, legal remedies against researchers who have discovered and disclosed vulnerabilities to them under their programs or directly to them in the absence of one.
It concludes that while bug bounty programs somewhat advance the previous uncertainty and potentially onerous legal regime, the terms remain asymmetric, largely non-negotiable and vendors may be able to depart from them in certain circumstances. In this context, a range of reforms are suggested in the concluding Chapter which may improve certainty for security researchers, impose greater responsibility on software vendors and, ultimately, create more secure software.