At a time when cyber threats are growing in frequency, scale and sophistication, public-private cooperation is our great defense. Yet a recent decision by the Ninth Circuit Court of Appeals in United States vs. Sullivan threatens to unravel one of the most effective public-private tools we have – responsible vulnerability disclosure through bug bounty programs.
The ruling takes power away from private organizations to manage their own computer systems by interpreting the federal Computer Fraud and Abuse Act (CFAA) to prohibit them from retroactively authorizing access to their systems.
Under this interpretation, security researchers who act in good faith, identify vulnerabilities, and responsibly report them to enterprises may still face criminal prosecution if they accessed the system before receiving formal permission.
This decision is deeply out of step with modern cybersecurity practices and puts organizations, CISOs and national security at greater risk.
Why This Should Concern Policymakers
Bug bounty programs and coordinated vulnerability disclosure (CVD) frameworks are used extensively by leading private companies – including Microsoft, Meta, Apple – as well as by the US Department of Defense and many other government agencies. These programs incentivize ethical hackers to discover and report flaws before malicious actors exploit them.
According to the FBI, global losses from cyber-enabled crimes exceeded $50bn over the past five years. In that same period, ethical researchers identified hundreds of thousands of exploitable vulnerabilities through programs that depend on post-access authorization.
When a federal court strips CISOs and legal teams of their flexibility to retroactively authorize access – even when it is demonstrably beneficial, risk-managed, and contractually bound – it chills the very disclosures that improve national cyber resilience.
The case in question relates to an unsuccessful appeal against the conviction of former Uber CISO Joe Sullivan on charges relating to covering up a data breach at the firm. The 2016 breach involved hackers accessing and downloading sensitive information from Uber's servers. Sullivan and his team tracked down the hackers and had them sign a non-disclosure agreement (NDA) in exchange for a payment, recharacterizing the hack as part of Uber's Bug Bounty Program.
Congress’s intent with the CFAA was never to criminalize good-faith cybersecurity research, but that is now a real and immediate consequence of the ruling.
This ruling also threatens to worsen an already severe cybersecurity workforce crisis. The industry is facing a global shortage of more than 4.7 million cybersecurity professionals, and over 542,000 positions remain unfilled in the US alone per the 2024 Cybersecurity Workforce Study released by ISC2.
Organizations depend on ethical hackers and independent researchers to crowdsource vulnerability identification, and they use bug bounty programs to incentivize them to help.
These same ethical hackers and researchers are often part of the critical pipeline for cultivating the next generation of defenders.
If courts treat good-faith researchers as criminals, we hamstring our already resource strapped teams and deter talent from entering the field altogether, widening the talent gap at the worst possible time.
The Perils for Business and Security Leaders
The Sullivan ruling also creates a Catch-22 for security leaders:
- Act quickly and collaboratively to neutralize threats, and risk legal exposure, or
- Delay action until it is too late.
The precedent elevates legal rigidity over security pragmatism, removing discretion from those who understand threats best – CISOs.
The implications for risk management are significant. Security executives are already hesitating to engage with researchers unless pre-authorization protocols are already in place and being assiduously followed – something that is often infeasible and impractical in zero-day scenarios, and which only serves to allow security vulnerabilities to unmitigated. Worse, researchers may simply stop reporting vulnerabilities, knowing they could face prosecution.
This ruling also introduces a new liability vector for corporations. If a CISO chooses to resolve a threat via existing bug bounty channels but does so without airtight contemporaneous access authorization, the organization – and its executives – may be exposed to federal charges.
The Path Forward
It is imperative that the Trump administration, Congress, and the courts act to clarify that the CFAA is not a tool for prosecuting good-faith cybersecurity collaboration. The Trump administration and Congress should consider legislative amendments that codify safe harbor provisions for organizations and researchers participating in structured, documented buy bounty and CVD programs.
Likewise, executives should invest in well-governed disclosure frameworks that include clear authorization protocols – but also retain flexibility for emergency response.
The internet is a shared asset. Securing it requires dynamic cooperation between private innovation and public enforcement. When the law punishes the very collaboration that prevents cyberattacks, we weaken our collective defense.
Security researchers are not the enemy. In many cases, they are the reason our systems stay one step ahead of real enemies. Let us not legislate and litigate them into silence – and let’s not drive future defenders away before they even get started.