Security Bug Hunters Could Expose Your Personal Data

pcmag.com:

A helpful citizen who returns a stash of cash found in the trash may receive a reward, but they don’t get to keep the loot. When the misplaced treasure is digital, though, the story looks different.

Las Vegas is home to many a fictional bank heist, but this week Sin City is hosting the Black Hat security conference. Dylan Ayrey, CEO of Truffle Security, and cybersecurity lawyer Whitney Merrill, data protection officer and lead privacy counsel for Asana, regaled Black Hat conference attendees with tales of errant personal data and the various entities that came to possess it, then posited ways to minimize the possibility of exposure.

The team focused specifically on bug bounty programs. In such a program, a major company like Microsoft sets up rules authorizing legitimate researchers to hack their products and services, rewarding successful hacks with cash. It sounds a bit iffy, but when the white-hat hackers find and report a bug, the company can fix it before it gets abused.

“So, before we start,” said Ayrey, “raise your hand if you either run a bug bounty program or have participated in one. Hmm, maybe half the audience. For the half that did not raise your hand, you may have participated even though you don’t know it.”

“Why are we qualified to talk about this?” continued Ayrey. “I’m a security researcher and a bug hunter. I co-founded a company called Truffle Security, built on a privacy technology called TruffleHog.”

“Hi, I’m Whitney,” said Merrill. “I’m an attorney, but not your attorney. I’ve worked as in-house counsel for many years. Currently I support my team at Asana.”

“Bug bounty programs say, don’t touch data from other users,” continued Ayrey. “Only test with your own account. Don’t involve other users.