Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore how modern bug bounty platforms have fundamentally altered the landscape of vulnerability disclosure through restrictive confidentiality agreements in this 25-minute conference talk from USENIX Security '25. Examine the historical evolution from the full disclosure versus responsible disclosure debates of thirty years ago to today's coordinated vulnerability disclosure (CVD) compromise, and understand how paid bug bounty programs managed by third-party platforms are undermining this established framework. Learn about the legal mechanisms through which software companies now funnel vulnerabilities into managed platforms that require researchers to sign confidentiality agreements, potentially prohibiting them from ever sharing their security findings publicly. Analyze contract law principles to understand when these restrictive agreements are legally enforceable and when they may not be, gaining practical advice for security researchers navigating their legal rights during vulnerability submissions. Discover the speaker's recommendations for platforms and companies to reform their practices to better align with the original principles of coordinated vulnerability disclosure, including calls to ban perpetual non-disclosure requirements that compromise the fundamental bargain between researchers and vendors.
