Published on September 28th, 2019 📆 | 5056 Views ⚑
0AB5 will impact bug bounty companies. Yet how much they will be impacted is unclear.
While much of the attention around Californiaâs recently passed Assembly Bill 5 (AB5) has focused on the future for Uber and Lyft drivers, bug bounty contractors working in California could also argue theyâre covered under the law when it goes into effect next year.
California Gov. Gavin Newsom on Sept. 18 signed AB5, which changes how employers can classify independent contractors and employees. Bug bounty firms rely on freelance hackers to use their platforms and identify or help mitigate software vulnerabilities. Many government agencies and Fortune 500 companies use the platforms â and the cheap labor that comes with it â as a way to close a portion of their cybersecurity gaps.
The extent to which the law, which goes into effect Jan. 1, is applicable to bug bounty freelancers will hinge on an individualâs specific professional situation, employment attorneys told CyberScoop. Yet, the grey area in which these freelance hackers now sit exacerbates the kind of uncertainty that could ripple throughout the security world, where contract work is plentiful.
The law enacts the so-called âABCâ test, in which businesses seeking to classify would-be employees as independent contractors can do so only if A) workers are âfree from the control and directionâ of the hiring entity, B) the workersâ responsibilities are outside the critical functions of the business and C) workers also have another role at an unrelated business operating in a similar field as the hiring entity.
Labor lawyers who spoke with CyberScoop differed on where bug bounty freelancers would fall in the ABC test.
âThe functional issue will be whether the independent contractorâs role is a key part of the business,â said Edward Kraus, an attorney with experience on labor issues at the Silicon Valley Law Group. âIf a bug bounty companyâs primary job is to test companies by hiring out that work to contractors, that work is now questionable.â
Veena Dubal, an associate professor of law at the University of California Hastings College of the Law, was less circumspect. âYes,â she said when asked if bug bounty contractorsâ status will change. âThey will need to be treated like employees, and it doesnât have to affect their flexibility at all.â
The âABC testâ is already a matter of an ongoing debate in the halls of state government and Silicon Valley boardrooms. Tony West, Uberâs chief legal counsel, provided a glimpse into the companyâs legal strategy when he told reporters Uber would pass the test based on the argument drivers do work outside the $31 billion firmâs core business. That stance almost certainly will be tested in court, likely resulting in a decision that clarifies how other firms will need to comply with AB5, legal experts said.
David Balter, assistant chief legal counsel for Californiaâs division of labor standards, said the law âis not black and whiteâ for bug bounty freelancers. A person who works primarily with one bug bounty company might have a stronger legal claim to be an employee, he acknowledged, while a freelancer submitting bugs to multiple vendors may have a âless clearâ path to victory in court.
Bug bounty platform HackerOne defines its hackers as independent third-parties interested in participating in the bounty programs and connecting with clients. The company has raised $110.4 million, according to Crunchbase, in part by introducing customers like GM and Starbucks to white-hat hackers.
A representative for the company declined to comment for this article.
Competitors Synack and Bugcrowd both describe their hackers as contractors. The companies each acknowledged theyâre monitoring the legal situation.
âThe gig economy is still a young model, but itâs clearly the future of many types of work â itâs what many workers affirmatively want,â a Bugcrowd spokeswoman said in a statement.âWhat this law is and how it will be ultimately implemented continues to evolve and we continue to watch it, but weâre confident that in the end it will not negatively impact our model.â
If regulators do determine bug bounty firms are violating the law, it could become difficult to retain freelance triage contractors said Katie Moussouris, founder of Luta Security and a former HackerOne employee who also started Microsoftâs bug bounty program.
âMicrosoft and other large companies already to pay six figures and give great benefits,â she said of triage personnel, adding that the job, which involves sifting through bug reports, is inherently repetitive and stressful.
âThey will have to see what Uber and Lyft do,â she said of bug bounty providers. âBut the triage personnelâŚthatâs in the maintenance category of defense that has to understand offense and have good communication skills. [Itâs] hard to hold on to those because itâs the toughest job youâll never love.â
Gloss