Quiz — Bug Bounty Legal Protections: What Security Researchers and Companies Actually Have

Module: 01j — Bug Bounty Legal Protections: What Security Researchers and Companies Actually Have Difficulty: Intermediate

Questions

Q1. The Supreme Court's Van Buren v. United States (2021) decision narrowed CFAA's "exceeds authorized access" provision. What is the core holding relevant to security researchers?

• A) Terms-of-service violations alone constitute criminal CFAA violations
• B) "Exceeds authorized access" covers accessing a prohibited area of a system — not mere misuse of permitted access
• C) Good-faith security research is explicitly exempt from CFAA criminal liability
• D) Civil CFAA suits are barred against good-faith security researchers

Correct answer: B Explanation: Van Buren held that "exceeds authorized access" covers accessing a prohibited area of a system — not mere misuse of access that was otherwise permitted. This means ToS violations alone likely do not constitute criminal CFAA violations, but bypassing authentication mechanisms still carries CFAA risk.

Q2. In May 2022, DOJ updated its CFAA charging policy to protect good-faith security research. Which of the following is a correct statement about the limits of this policy?

• A) The policy is a binding federal statute that courts must follow
• B) The policy protects researchers from civil CFAA suits filed by private companies
• C) The policy can be modified or revoked by the next administration and does not bind courts
• D) The policy provides automatic protection from state computer crime statutes

Correct answer: C Explanation: The DOJ charging policy is prosecutorial guidance — not a statute. It can be modified or revoked by the next administration, it does not bind courts, and it provides no protection against civil CFAA suits by private companies or prosecution under state computer crime statutes.

Q3. CISA Binding Operational Directive 20-01 (BOD 20-01), issued September 2, 2020, requires what from all federal civilian executive branch agencies?

• A) Federal agencies must pay bug bounty rewards at rates matching HackerOne market rates
• B) Federal agencies must develop and publish a Vulnerability Disclosure Policy covering all internet-accessible information systems
• C) Federal agencies must enroll in at least one commercial bug bounty platform within 180 days
• D) Federal agencies must prosecute any unauthorized security research regardless of good faith

Correct answer: B Explanation: BOD 20-01 requires every federal civilian executive branch agency to develop and publish a Vulnerability Disclosure Policy (VDP) covering all internet-accessible information systems. The VDP must include scope, good-faith testing rules, a report submission process, and a commitment not to pursue legal action against in-scope, good-faith researchers.

Q4. Under the bug bounty program authorization framework, when does a researcher have "express authorization" that resolves the CFAA "without authorization" element in their favor?

• A) Whenever the researcher believes their research improves public security
• B) When the researcher follows DOJ's good-faith policy definition
• C) When the researcher reviews a program policy, agrees to platform terms, and tests within defined in-scope systems
• D) Whenever the organization has not explicitly prohibited security research in its terms of service

Correct answer: C Explanation: Bug bounty program enrollment creates contractual authorization. When a researcher reviews the program policy, agrees to platform and program-specific rules, and tests within the defined in-scope systems, they have express authorization — and the CFAA "without authorization" element is resolved in their favor. Testing outside defined scope on the same organization's systems is still unauthorized.

Q5. HackerOne launched its AI Research Safe Harbor in January 2026. Which of the following activities does this safe harbor cover?

• A) Social engineering of company employees to test AI security culture
• B) Physical access to AI infrastructure data centers
• C) Testing AI models for prompt injection, model extraction, and adversarial inputs within defined scope
• D) Production infrastructure attacks to test AI system resilience under real-world conditions

Correct answer: C Explanation: The HackerOne AI Research Safe Harbor covers testing AI models for security vulnerabilities (prompt injection, model extraction, data poisoning, adversarial inputs) and safety issues within defined scope parameters. It explicitly does NOT cover social engineering of employees, physical access to infrastructure, or production infrastructure attacks outside defined scope.

Q6. A researcher operating in California discovers that Van Buren narrowing of CFAA likely protects their testing activity from federal criminal liability. Which statement about California law is correct?

• A) California Penal Code § 502 automatically adopts Van Buren's narrowing interpretation
• B) California courts have uniformly applied a Van Buren-equivalent limitation to § 502
• C) California Penal Code § 502 includes civil actions for compensatory and punitive damages, and California courts have not uniformly adopted a Van Buren-equivalent limitation
• D) California has no independent computer crime statute — federal CFAA analysis is sufficient

Correct answer: C Explanation: California Penal Code § 502 covers unauthorized access to any computer, computer system, or computer network, and includes civil actions for compensatory and punitive damages. Post-Van Buren CFAA narrowing does not automatically apply to § 502 interpretation, and California courts have not uniformly adopted a Van Buren-equivalent limitation.

Q7. The standard coordinated vulnerability disclosure timeline adopted by Google Project Zero and widely followed in the security research community is:

• A) 30 days from private report to permitted public disclosure
• B) 60 days from private report to permitted public disclosure
• C) 90 days from private report to permitted public disclosure
• D) 180 days from private report to permitted public disclosure

Correct answer: C Explanation: The coordinated disclosure standard is 90 days from private report submission to permitted public disclosure — the Google Project Zero standard that has been widely adopted. If the vendor patches within 90 days, the researcher discloses publicly after the patch. If the vendor does not patch within 90 days, the researcher may disclose (typically with warning).

Q8. "Full disclosure" — immediately releasing vulnerability details publicly without vendor notification — carries heightened legal risk under the DOJ's good-faith policy because it fails to satisfy which element?

• A) The requirement that research be performed by a credentialed security professional
• B) The "designed to avoid any harm to individuals or the public" element of the good-faith definition
• C) The requirement that research be conducted through a registered bug bounty platform
• D) The requirement that researchers obtain prior written authorization from CISA

Correct answer: B Explanation: DOJ's good-faith security research definition requires that the activity be "carried out in a manner designed to avoid any harm to individuals or the public." Full disclosure without vendor notification may enable attackers to exploit the vulnerability before a patch is available — failing this element and creating legal risk under the policy.

Q9. As of 2026, what is the status of a federal statutory safe harbor for good-faith security research?

• A) The Security Research Act passed in 2023 and provides a comprehensive federal safe harbor
• B) No federal statutory safe harbor exists — proposed legislation has been introduced multiple times but none has passed
• C) The DOJ charging policy was codified into statute in 2024, creating a binding safe harbor
• D) The Budapest Convention Article 6 provides a binding uniform safe harbor for U.S. researchers

Correct answer: B Explanation: As of 2026, no federal statutory safe harbor for good-faith security research exists. Proposed legislation (including the Security Research Act and similar bills) has been introduced in Congress multiple times but none has passed. The DOJ policy remains guidance, not statute.

Q10. Which of the following correctly describes how bounty payment works in a standard bug bounty program?

• A) Payment is made upon submission of any report, regardless of validity
• B) Payment is made only after vulnerability is confirmed, validated, and the platform deducts its commission
• C) Payment is guaranteed within 30 days of submission under HackerOne platform rules
• D) Payment is made only after public disclosure of the vulnerability

Correct answer: B Explanation: Bounty is paid on validation of a legitimate, in-scope, reproducible vulnerability — not on submission. Bug bounty platforms (HackerOne, Bugcrowd) also take a percentage commission of each bounty paid. Researchers are not guaranteed payment simply by submitting a report.