If you're designing a security bug bounty for your organization's products, by all means get the lawyers to take a look, but keep their hands off the keyboard. If it's one thing flaw-finders find too tedious to deal with, which will put them off finding holes in your defenses, it's legalese – and these are people who otherwise spend all day combing reverse-engineered code for typos.
This point came up during a panel discussion this week at a summit organized by the US government's Cybersecurity and Infrastructure Security Agency (CISA).
Chloé Messdaghi, veep of strategy at infosec training firm Point3, said she's encountered bounty programs that look more like they're intended for the legal team than the security community.
"You want to be as clear, concise, and short as possible," Messdaghi sai ..
Support the originator by clicking the read the rest link below.
