Software bug bounties and the legal risks to security researchers

dc.contributor.advisor Maurushat, Alana en_US
dc.contributor.advisor Trakman, Leon en_US
dc.contributor.advisor Buckland, Richard en_US Hamper, Robin en_US 2022-03-23T13:01:07Z 2022-03-23T13:01:07Z 2020 en_US
dc.description.abstract This thesis examines some of the contractual legal risks to which security researchers are exposed in disclosing software vulnerabilities, under coordinated disclosure programs (“bug bounty programs”), to vendors and other bug bounty program operators. On their face, the terms of these programs are purported to offer an alternative to security researchers to publicly disclosing or selling discovered bugs, which have significant value and potential for harm if used maliciously, to purchasers who do not intend to use them in order to fix the underlying issues in software. Historically, vendors have deployed a range of legal measures to discourage or eliminate such disclosure. This thesis examines the terms of three popular bug bounty programs (Google, Department of Defence (hosted on HackerOne) and Facebook and considers their effect in the Australian jurisdiction. It examines issues including the application of unfair contracts legislation and unconscionability. It further examines three key case studies in which vendors have sought, or threatened to seek, legal remedies against researchers who have discovered and disclosed vulnerabilities to them under their programs or directly to them in the absence of one. It concludes that while bug bounty programs somewhat advance the previous uncertainty and potentially onerous legal regime, the terms remain asymmetric, largely non-negotiable and vendors may be able to depart from them in certain circumstances. In this context, a range of reforms are suggested in the concluding Chapter which may improve certainty for security researchers, impose greater responsibility on software vendors and, ultimately, create more secure software. en_US
dc.language English
dc.language.iso EN en_US
dc.publisher UNSW, Sydney en_US
dc.rights CC BY-NC-ND 3.0 en_US
dc.rights.uri en_US
dc.subject.other Bug bounties en_US
dc.subject.other Software vulnerabilities en_US
dc.title Software bug bounties and the legal risks to security researchers en_US
dc.type Thesis en_US
dcterms.accessRights open access
dcterms.rightsHolder Hamper, Robin
dspace.entity.type Publication en_US
unsw.relation.faculty Law & Justice
unsw.relation.originalPublicationAffiliation Hamper, Robin, Law, Faculty of Law, UNSW en_US
unsw.relation.originalPublicationAffiliation Maurushat, Alana, Western Sydney University en_US
unsw.relation.originalPublicationAffiliation Trakman, Leon, Law, Faculty of Law, UNSW en_US
unsw.relation.originalPublicationAffiliation Buckland, Richard, Computer Science & Engineering, Faculty of Engineering, UNSW en_US School of Law *
unsw.thesis.degreetype Masters Thesis en_US
Original bundle
Now showing 1 - 1 of 1
No Thumbnail Available
public version.pdf
2.52 MB
Resource type