Bug Hunters Dump User Data. Can They Keep it? Well They're Keeping it Anyway.

The presentation discusses the importance of data governance in bug bounty programs and suggests ways to prevent data leaks.

• Bug bounty programs require proper data governance to prevent data leaks
• Companies should work with legal teams to ensure compliance with data privacy laws
• Access controls should be tailored to limit access to sensitive data
• Platforms used in bug bounty programs should allow for data retention policies
• Data should not be sent over email and backups should have good retention policies

The presenter shares that a third-party testing service called XSS Hunter had 1.66 terabytes of data leaked due to blind cross-site scripting screenshots. The presenter also realized that their own user account in the bug system did not have two-factor authentication enabled, which could have led to a potential breach.

A security researcher used a modern bug bounty platform to disclose an accidental dump of personal data of ~50,000 FAANG company's users from that company's servers. The data passes through several 3rd party systems not related to the company and lands on the researcher's laptop. What were the legal obligations of the company running the program to protect the data affected? What were the legal obligations, if any, put on the researcher around protecting the data? Who should be responsible for the cleanup?You may be surprised to learn this FAANG company never disclosed the dump, and both the researcher and the 3rd parties continued to have access to the data.