The chair of the Assembly's Privacy and Consumer Protection Committee thinks California should borrow a page from the private sector to identify security flaws in the state's computer systems, online services and websites: pay money to white-hat hackers and researchers who find vulnerabilities.
Assemblymember Ed Chau, D-Monterey Park, recently introduced legislation (AB 2720) that would authorize the Department of Technology's information security office to create a Cybersecurity Vulnerability Reporting Reward Program. The program would be contingent on adequate funding to pay the "bounties."
Chau said the inspiration for the legislation came from programs already in place in California's tech industry. Hundreds of companies, including Facebook and Google, offer monetary awards to people who discover critical security issues in their systems. The bigger and more serious the flaw, typically the bigger the award payout. Here's a long list of these bounty programs.
“With cybercrimes and other major online threats growing in frequency, we have to get creative as a state on how we improve our own cybersecurity,” Chau said in an email to Techwire on Thursday. “One way to do that is to borrow from the best practices of our own tech industry here in California, such as vulnerability reward programs, but doing so in a way that establishes strong safeguards to make sure that we’re incentivizing positive behavior.”
Chau's legislation does not yet prescribe the amount of funding that would go toward the bounties, but that could be added in the weeks ahead. Chau's chief of staff said the money will be have to be competitive so that people take time and effort to make submissions. Companies tend to pay a minimum of $100 to $500; big flaws can bring several thousand dollars. Some companies honor security researchers who do this type of work by inducting them into a public "hall of fame" website.
If AB 2720 ultimately moves forward and is signed, California would become one of the first governments in the U.S. to start such a program. This week the U.S. Department of Defense announced "Hack the Pentagon," the federal government's first bug bounty program. DoD's program, which will launch in April, will be operated by the Defense Digital Service. The DOD says participants in the bug bounty will have to pre-register and will be vetted with a background check.
"I am always challenging our people to think outside the five-sided box that is the Pentagon,” said Secretary of Defense Ash Carter in the March 2 announcement. “Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”
Some skeptics worry that bug bounty programs, especially in government, are imprudent because they point the way to hackers who have ill intent. Occasionally, white-hat researchers have been accused of impropriety as they search for vulnerabilities. Even so, there are many supporters. One expert asserts, for example, that giving someone the option of "selling" information about a bug to the government might help keep them off the black market.
Others have argued that bug bounties are, in effect, crowdsourcing the practice of cybersecurity — a needed model because of a global shortage of 1 million IT security professionals.
Last year the ACLU, in a letter to the federal government's Internet Policy Task Force, backed the use of bug bounty programs in the public sector.
"We believe that companies and government agencies have much to gain by working with, rather than against, the computer security research community," the ACLU wrote.
California's cybersecurity posture has been under fire in recent months after a 2015 state audit found most agencies say they aren't fully compliant with existing policies. During an oversight hearing last week, lawmakers criticized the state and the Department of Technology said recommendations in the audit are being implemented.
