How Bug Bounty Hunters Can Leverage GDPR

This article was co-written by Kris Lahiri, Data Protection Officer and Dawid Balut, Egnyte Architect.

For some GDPR violations, yes.

The GDPR emphasizes data breaches and breach prevention, so detecting vulnerabilities early can help companies comply. The new regulation might incentivize bug bounty programs for organizations that want to add a layer to their risk management process.

I’ve worked with a few companies that increased bounty payouts for discovering GDPR-related vulnerabilities. They use bug bounty programs to show auditors that they've implemented preventive security measures.

For example, external features like file upload or file sharing grant access to customer data, so increasing bounties can encourage security researchers to test those features. If a data breach does occur, auditors will favor businesses that invest in multiple layers of security. Bug bounty programs are a great addition to internal and external penetration tests.

Security leaders understand that bug bounty programs aren't a complete remedy and can often come with their own risks. Bug bounties should only be used to support mature security programs, not replace them. Without competent internal security, data privacy, and legal teams, companies may expose themselves to GDPR violations when bug bounty programs aren't properly managed.

We must consider possible scenarios, like one in which a bug bounty hunter posts screenshots of internal data on a bug bounty platform. In an attempt to demonstrate and document vulnerability, they may unintentionally leak data. Whether or not this qualifies as a violation depends on existing internal defense mechanisms and the judgment of GDPR authorities. If companies have solid data protections, like data anonymization, then data presented in a screenshot may be considered meaningless in regard to GDPR objectives.

Another risky scenario to consider is one in which bug bounty hunters obtain sensitive data during vulnerability tests for file downloading features. Once they’ve discovered an initial security flaw, some bug bounty hunters may try to escalate their access privileges. If they’re allowed to enter internal infrastructure in order to assess the severity of the bug, they may also obtain sensitive personal data. To minimize security risks, some operations and internal services should not be exposed to bug bounty hunters.

Bug bounties can be used to test whether an organization has satisfied certain GDPR requirements, such as regular security testing, data safety evaluations, and the right to be forgotten, but should only be used where relevant and appropriate. Currently, there are many unknowns relating to the GDPR and most companies cannot properly implement these programs without increasing risk.

Learn More about GDPR and see how Egnyte can help you meet compliance.