Call it a tale of two legislations.
One bill is designed to establish a federal bug bounty program for State Department websites; the other is a proposed state law that threatens to have a chilling effect on vulnerability researchers and white-hat hackers.
Casey Ellis, founder and CTO of bug bounty platform provider Bugcrowd, addressed both in an interview with SC Media at RSA 2018.
Ellis expressed concern over Georgia Senate Bill 315, which makes it a crime for unauthorized individuals to deliberately access a computer or network, but does not carve out any exceptions for legitimate research and vulnerability hunting. The CEO said Bugcrowd attempted to engage in dialogue with state lawmakers in hopes of shaping the bill into “something that’s at least less threatening to people that are operating in good faith.” But for now, concerns remain, especially after the Georgia legislature passed the bill last March, sending it to the desk of Governor Nathan Deal (R), who has until May 8 to sign it.
Reportedly, a group of more than 50 experts, researchers and academics wrote a letter to Deal, asking him to veto the bill.
Ellis said that laws like SB 315 and the Computer Fraud and Abuse Act, as currently written, “operate on the assumption that if you’re a hacker, you’re automatically a bad person,” adding that he worries this could become a legislative trend.
On the other hand, Ellis praised the “Hack Your State Department Act” bill — introduced last March by Reps. Ted Lieu (D-Calif.), and Ted Yoho (R-Fla.) — which is designed to establish a federal bug bounty program for State Department websites. This development follows other successful programs in which researchers were encouraged to “hack” the Pentagon and Air Force — and Ellis said other government agencies will likely also follow suit, due to a dearth of available talent.
“They can’t find people. They’re having horrible trouble hiring and they’re looking at this crowdsource model as a better way to get adversarial feedback into their organizations so they can reduce their risk,” said Ellis.
During his interview, Ellis also talked about the uptick in interest among Internet of Things manufacturers to pursue bug bounty programs, as well as the need to ensure that security programs continue to leverage human creativity and ingenuity.