Bug bounty platforms buy researcher silence, violate labor laws, critics say

Bug bounty platforms use NDAs to trade bounty hunter silence for the possibility of a payout. Security researchers report security flaws under NDA and are paid to keep quiet. All organizations need a vulnerability disclosure program (VDP); few need a bug bounty program. HackerOne’s co-founder and CTO Alex Rice defends the practice of providing private bug bounty programs to companies that lack a VDP, citing legal, regulatory, policy and risk management concerns inside customer organizations. A VDP looks like this: Good-faith security researchers tell you your stuff is broken, give you 90 days max to fix it.”]

Source: https://www.csoonline.com/article/3535888/bug-bounty-platforms-buy-researcher-silence-violate-labor-laws-critics-say.html

Something Fresh

Zip Codes & PII: Are They Personal Data?

ZeroNet: 51% Attack Risks & Mitigation

Zero Knowledge Voting with Trusted Server

What People Reading

Zero-Day Vulnerabilities: User Defence Guide

Feedback and data-driven updates to Googles disclosure policy

YubiKey Security: Initial Setup with Yubi Cloud

Security Insider Interview Series: John McArthur, Senior Product Manager, IP Intelligence; and Rupert Young, Senior Director Software Engineering, Data Compilation and Identity, Neustar

Certificate Security in the Wild West

Categories

Partners

Just add here your partners image or promo text