A wide range of organizations have embraced vulnerability-disclosure programs (VDPs) that actively encourage members of the public to hack into their own company systems. Under a VDP, a company invites “good” or “ethical” hackers to explore the company’s systems and then to report back about any discovered weaknesses. The information reported is then used to fix the vulnerability and to implement stronger protections going forward. A form of VDP surging in popularity is the bug-bounty program (BBP), in which financial or other incentives are offered to outsiders for reporting relevant information.
BBPs have come into favor because they represent a cost-effective “force multiplier” that can augment existing efforts a company may be pursuing to identify and remediate vulnerabilities. Companies are understandably attracted to the idea of making a $500 payout (the approximate average reward for a discovered bug of any severity) as an alternative to enduring an incident that could ultimately cost millions of dollars. Some companies see such programs as a lower-cost complement to increasing investment in internal security measures. Even large institutions that make substantial investments in internal security experts recognize the value of enlisting outside actors with a new perspective to stress test and supplement those efforts.
As the benefits of having a BBP have become widely known, a growing range of companies have decided to adopt them. Such programs are no longer the exclusive province of technology companies, including giants like Google, but also include retail and service companies, such as Starbucks. Over the past year, we have seen companies of all sizes and industries institute these types of programs to good effect.
Notably, the U.S. government has joined these efforts with programs such as “Hack the Pentagon,” a bug-bounty program instituted by the U.S. Department of Defense in 2016 after a successful pilot. As then-Secretary of Defense Ash Carter observed, “We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. . . . What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer.”
While there are considerable benefits to gain from having a BBP, companies must be careful in how they design and implement these programs to avoid legal and reputational risk. Both the design phase of the program as well as the response to specific reports can pose challenges that must be navigated carefully.
Based on what we have observed, there are several topics organizations must pay special attention to:
Each organization is different in terms of the types of information it holds, the legal regimes to which its information is subject, and the contractual and other obligations that may restrict disclosure. Additional legal issues arise where a company stores data or conducts activities outside the United States. The International Organization for Standardization and the International Electrotechnical Commission published standards on designing VDPs and, like DOJ, recommend that any company that adopts a VDP obtain legal advice in order to ensure that their programs are consistent with local laws.
The bottom line is that BBPs are a valuable tool that should be carefully designed and deployed to maximize benefits and reduce risks to the organization. The above lessons should not dissuade organizations from giving BBPs serious consideration. But they highlight the value in taking time to design and implement the programs thoughtfully.
 Hacker-Powered Security Report of 2017, Hackerone, 15 (2017), https://www.hackerone.com/sites/default/files/2017-06/The%20Hacker-Powered%20Security%20Report.pdf.
 Marten Mickos, Should a company have a bug bounty program?, Quora (Mar. 4, 2017), https://www.quora.com/Should-a-company-have-a-bug-bounty-program.
 Google Vulnerability Reward Program (VRP) Rules, https://www.google.com/about/appsecurity/reward-program/ (last visited Feb. 11, 2018).
 Hackerone Hack the Pentagon, https://www.hackerone.com/resources/hack-the-pentagon (last visited Feb. 11, 2018).
 U.S. Dep’t of Defense, Remarks by Secretary of Defense Ash Carter at Hack the Pentagon Ceremony (June 2016), https://www.defense.gov/News/Transcripts/Transcript-View/Article/802660/remarks-by-secretary-carter-at-hack-the-pentagon-ceremony/.
 Last year, DOJ issued guidance on designing and implementing VDPs. The guidance covers four areas: (1) the design of the program; (2) the plan for administering the program; (3) the drafting of the vulnerability disclosure policy; and (4) the implementation of the program. While the DOJ guidance is not mandatory and does not have the force of law, it reinforces many sound practices. See U.S. Dep’t of Justice, A Framework for a Vulnerability Disclosure Program for Online Systems (July 2017), https://www.justice.gov/criminal-ccips/page/file/983996/download.
 See Federal Trade Commission, Start with Security: A Guide for Business, 12 (June 2015) (noting that, in one case, “the FTC charged that the company didn’t have a process for receiving and addressing reports about security vulnerabilities.”), https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf; National Highway Traffic Safety Administration, Cybersecurity Best Practices for Modern Vehicles, 14 (Oct. 2016) (highlighting that members of the automotive industry should weigh whether to create vulnerability reporting policies), https://www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf; Food and Drug Administration, Postmarket Management of Cybersecurity in Medical Devices, 13-14 (Dec. 2016) (suggesting that vulnerability disclosure programs can play a beneficial role as part of a cybersecurity risk management program), https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf.
 See ISO/IEC 29147. Information Technology – Security Techniques – Vulnerability Disclosure (2014), https://www.johner-institut.de/blog/wp-content/uploads/2017/02/ISO_IEC_29147_2014.pdf.