“Bug Bounty” Law: Navigating the Vulnerability Disclosure Legal Landscape

Amit Elazari Bar On

Amit Elazari Bar On

Speaker Bio

Director, Global Cybersecurity Policy at Intel Corporation, Lecturer, UC Berkeley School of Information (MICS)
Amit is a Director of Global Cybersecurity Policy at Intel Corporation and a Lecturer at UC Berkeley’s School of Information Master in Information and Cybersecurity (MICS). She holds a Doctor of Science of Law (J.S.D.) from UC Berkeley School of Law. She graduated Summa Cum Laude three prior degrees in law and business (B.A., LL.B., LL.M.). Her research work in the field of information security law and policy has been published in leading technology law journals, presented in conferences such as Black Hat, USENIX Enigma, USENIX Security, BsidesLV, BsidesSF and DEF CON, and featured in leading news sites such as The Wall Street Journal, The Washington Post and the New York Times. In 2018, Amit was granted a Center for Long Term Cybersecurity (CLTC) grant for her work on private ordering regulating information security, exploring safe harbors for security researchers. She is trained as a Lawyer and practiced law in Israel.


Bug Bounties and Vulnerability Disclosure Program (VDP) are one of the fastest growing, most popular ways for companies to engage with the security research community and uncover unknown security vulnerabilities. They also raise a variety of legal issues for researchers and corporations to consider. This talk will explore how the law interacts with bug bounties and VDP, how it might affect security researchers, and suggest pathways for bug bounties and vulnerability disclosure programs to foster research and ethical hacking. Highlights will include anti-hacking laws, unpacking some myths concerning bug bounties legalese, and contract standardization efforts already widely adopted across the industry.