Bug bounty programs have transformed computer security work. At their core, these programs organize and manage a market for digital piecework, paying security researchers that identify and report novel bugs. Bounties are frequently promoted as a way to improve the security of our digital world.
Yet, as this talk identifies, in some instances these programs can perpetuate insecurity. In this AI Cyber Lunch, Ryan Ellis, Associate Professor of Communication Studies at Northeastern University, will examine the associated risks of such programs using a detailed analysis of the case of Uber’s bug bounty program.
Q&A to follow. Buffet-style lunch to be provided.
Registration: RSVP required. A Harvard University ID is required for in-person attendance. All are welcome to attend on Zoom.
Recording: This seminar will NOT be recorded.
Accessibility: To request accommodations or who have questions about access, please contact Liz Hanlon (ehanlon@hks.harvard.edu) in advance of the session.
Abstract
Bug bounty programs have transformed computer security work. At their core, these programs organize and manage a market for digital piecework, paying security researchers that identify and report novel bugs. Bounties are frequently promoted as a way to improve the security of our digital world. Yet, as this talk identifies, in some instances these programs can perpetuate insecurity. The bulk of the talk is devoted to detailed analysis of the case of Uber’s bug bounty program. In 2016, hackers compromised the personal data of 600,000 Uber drivers and over 57 million users. Rather than reporting this breach as required by law, Uber used its bug bounty program to try to buy the silence of a pair of hackers. The Uber case underscores how, in some cases, bounty programs can undermine collective security. The talk examines the larger public risk that lurks within the deployment of particular types of security practices and programs and considers what ought to be done about it.
Speaker
Ryan Ellis is an Associate Professor of Communication Studies at Northeastern University. Ryan’s research and teaching focuses on topics related to communication law and policy, infrastructure politics, and cybersecurity. He is the author of Letters, Power Lines, and Other Dangerous Things: The Politics of Infrastructure Security (MIT Press, 2020) and the editor (with Vivek Mohan) of Rewired: Cybersecurity Governance (Wiley, 2019). He is the author of an upcoming book on bug bounty programs and the remaking of security work for MIT Press.
