Security News > 2022 > August > FAANGs failing on keeping user data safe from bug hunters

Dylan Ayrey, a bug hunter and CEO of Truffle Security, discovered a big data company credential dump containing personal information belonging to about 50,000 of its users, and still hasn't fixed it.

There's a ton of personal data stored on researchers' laptops and bug bounty platforms, some of which don't require multi-factor authentication to access, Ayrey said.

This isn't to say these programs are bad: "We do believe bug bounties are a positive force for change, and that companies that run bug bounties are in a better place than companies that don't," he added.

Organizations that build bug bounties "Need to be prepared for the worst," especially if they ask security researchers to take that extra step involving user data, said attorney Whitney Merrill, Asana's data protection officer and lead privacy counsel.

Keep track of your data, including who has copies of it - such as third-party software providers and the bug hunters themselves.

By all means ask the bug hunters to delete use data, and confirm that they're not keeping it.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/12/faang_bug_hunters/