Updated: Jul 11, 2020
AB-5 is killing several industries, are bug bounties going the way of the dodo?
With the myriad risks AB-5 poses to the gig economy, is the bug-bounty a type of gig work that just can't exist in compliance with AB-5. The answer, like the answer most attorneys give to everything is it depends. In fact, a lot of companies probably can't do so called bug bounties any more. A company whose business centers on the finding of bugs can no longer pay bug bounties as its primary means of compensation--workers finding bugs for such a company will have to be employees, not contract workers. But other companies can still safely offer bug bounties without concern, likewise, corporate bug-bounties offered to corporations and companies will likely always be legal.
“Do you have a design in mind for your blog? Whether you prefer a trendy postcard look or you’re going for a more editorial style blog - there’s a stunning layout for everyone.”
So How Does This Work, Exactly?
AB-5 changed the laws of how we determine who can and can't be an independent contractor. It used to be a long series of variables that included the perception of other persons. The new AB-5 test is pretty simple. There is a three prong test.
The person is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of the work and in fact.
The person performs work that is outside the usual course of the hiring entity’s business.
The person is customarily engaged in an independently established trade, occupation, or business of the same nature as that involved in the work performed.
Unless all three of those are true, the person has to be an employee. So let's look at the typical bug-bounty hunter and run them against those tests.
Freedom and Independence
The typical person being paid by the hunt found bugs on their own time, with their own equipment, hunted by their own preferred means, in the manner of their choosing. If they want to take a day off, they do. If they want to work four days straight without sleeping, they do. If they want to work from home, or barbados, or a cubicle, or a corporate workstation, they can.
Work Outside the Usual Course of Business
A cybersecurity firm has to find bugs in order to do its job. The failure to find weaknesses in security systems would equate to the failure to provide security. So, a company like HackerOne, Cisco, McAfee, would fail the test. Period. When you at a company like Apple--They sell computer hardware: they could outsource all software if they wanted to, they could certainly outsource their security, so outsourcing a single part of it, that's another thing entirely. Companies like Google (whose central product is data and thus, security is central to their product) or Facebook (where communication is central and thus security is another issue) are different, but, even so, the case is far more compelling.
Customary Engagement in an Independent Business
“If they want to work from home, or Barbados, or a cubicle, or a corporate workstation, they can.”
Here things get a little hairy. Any computer consultant who works for bug bounties absolutely checks yes on this box, as do IT workers, many kinds of office temps, etc. Additionally, there are persons who routinely supplement their livings working for bug bounty firms and doing various kinds of hacking and security work. Any of those persons pass this test.
What the Market Will Bear
The reality is that most first party bug bounties can probably survive if they either require a tax-ID (which would suggest that the person customarily engages in an independent business, work on an invitation only basis, or require people to sign something under penalty of perjury saying that this is something the person routinely works doing for other companies. On. the other hand, the third-party bug bounty doesn't seem able to survive the second prong under any circumstance that I can see. So if you're thinking of offering a bug bounty on your own system, you probably can, but I would make public in the program that you are offering it only to security professionals, and require either an appropriate sworn statement or Tax ID number to pay the hunter (make noted what will be required on the post describing the program). Need help with the language for your sworn statement? Give us a call. We can get you one, lickety-split. Thanks for reading.