California’s new labor law is going to impact bug bounty companies. By how much is unknown.

Written by

While much of the attention around California’s recently passed Assembly Bill 5 (AB5) has focused on the future for Uber and Lyft drivers, bug bounty contractors working in California could also argue they’re covered under the law when it goes into effect next year.

California Gov. Gavin Newsom on Sept. 18 signed AB5, which changes how employers can classify independent contractors and employees. Bug bounty firms rely on freelance hackers to use their platforms and identify or help mitigate software vulnerabilities. Many government agencies and Fortune 500 companies use the platforms — and the cheap labor that comes with it — as a way to close a portion of their cybersecurity gaps.

The extent to which the law, which goes into effect Jan. 1, is applicable to bug bounty freelancers will hinge on an individual’s specific professional situation, employment attorneys told CyberScoop.  Yet, the grey area in which these freelance hackers now sit exacerbates the kind of uncertainty that could ripple throughout the security world, where contract work is plentiful.

The law enacts the so-called “ABC” test, in which businesses seeking to classify would-be employees as independent contractors can do so only if A) workers are “free from the control and direction” of the hiring entity, B) the workers’ responsibilities are outside the critical functions of the business and C) workers also have another role at an unrelated business operating in a similar field as the hiring entity.

Labor lawyers who spoke with CyberScoop differed on where bug bounty freelancers would fall in the ABC test.

“The functional issue will be whether the independent contractor’s role is a key part of the business,” said Edward Kraus, an attorney with experience on labor issues at the Silicon Valley Law Group. “If a bug bounty company’s primary job is to test companies by hiring out that work to contractors, that work is now questionable.”

Veena Dubal, an associate professor of law at the University of California Hastings College of the Law, was less circumspect. “Yes,” she said when asked if bug bounty contractors’ status will change. “They will need to be treated like employees, and it doesn’t have to affect their flexibility at all.”

The “ABC test” is already a matter of an ongoing debate in the halls of state government and Silicon Valley boardrooms. Tony West, Uber’s chief legal counsel, provided a glimpse into the company’s legal strategy when he told reporters Uber would pass the test based on the argument drivers do work outside the $31 billion firm’s core business. That stance almost certainly will be tested in court, likely resulting in a decision that clarifies how other firms will need to comply with AB5, legal experts said.

David Balter, assistant chief legal counsel for California’s division of labor standards, said the law “is not black and white” for bug bounty freelancers. A person who works primarily with one bug bounty company might have a stronger legal claim to be an employee, he acknowledged, while a freelancer submitting bugs to multiple vendors may have a “less clear” path to victory in court.

Bug bounty platform HackerOne defines its hackers as independent third-parties interested in participating in the bounty programs and connecting with clients. The company has raised $110.4 million, according to Crunchbase, in part by introducing customers like GM and Starbucks to white-hat hackers.

A representative for the company declined to comment for this article.

Competitors Synack and Bugcrowd both describe their hackers as contractors. The companies each acknowledged they’re monitoring the legal situation.

“The gig economy is still a young model, but it’s clearly the future of many types of work – it’s what many workers affirmatively want,” a Bugcrowd spokeswoman said in a statement.”What this law is and how it will be ultimately implemented continues to evolve and we continue to watch it, but we’re confident that in the end it will not negatively impact our model.”

If regulators do determine bug bounty firms are violating the law, it could become difficult to retain freelance triage contractors said Katie Moussouris, founder of Luta Security and a former HackerOne employee who also started Microsoft’s bug bounty program.

“Microsoft and other large companies already to pay six figures and give great benefits,” she said of triage personnel, adding that the job, which involves sifting through bug reports, is inherently repetitive and stressful.

“They will have to see what Uber and Lyft do,” she said of bug bounty providers. “But the triage personnel…that’s in the maintenance category of defense that has to understand offense and have good communication skills. [It’s] hard to hold on to those because it’s the toughest job you’ll never love.”