Legal Safe Harbour for Swiss Bug Bounty Programs
We ran last year’s Swiss Cyber Storm under the motto “Embracing the Hackers”. One of the topics we covered was Bug Bounty Programs. A BBP is often seen as a standard element of a comprehensive application security program. But they are also mostly unheard of in Switzerland.
We had very good feedback for this motto and we are indeed seeing some movement on the Bug Bounty front. More and more programs are popping up and more companies are actively thinking about launching a private or even a public program.
One remaining issue, that is often quoted as a roadblock, is the legal situation around Swiss criminal law article 143bis. This makes almost any sort of hacking illegal. A port scan might be OK, but trying out a simple SQLi can be enough to be charged a felony. And given it’s the criminal law even third parties can send the police after a bounty hunter.
So setting up a bug bounty program can mean that you expose the Swiss bug bounty hunters to legal jeopardy.
A welcome way to solve this problem would be to make 143bis more hacker-friendly. Check out the website 143bis.ch for a thorough legal analysis of the problem.
A temporary remedy is to come up with a wording, that can be used as a legal safe harbor within a Swiss Bug Bounty Program.
Bug Bounty Switzerland has published such a text: a wording they received from Swiss Post and that they release under a Creative Commons license (Attribution 4.0 International: CC BY 4.0). Feel free to copy and use this in your bug bounty program. But make sure to link https://www.bugbounty.ch/legal-safe-harbor/ as your source.
Here is the text you can copy 1:1 :
Consequences of complying with the Code of Conduct (Legal Safe Harbor)
1. The owner will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good faith violations of the Code of Conduct
2. The owner interprets activities by participants that comply with the Code of Conduct as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis, and 144bis.
3. The owner will not file a complaint against participants for trying to circumvent the security measures deployed in order to protect the services in-scope for this program.
4. If legal action is initiated by a third party against a participant and the participant has complied with the Code of Conduct as outlined in this document, the owner will take the necessary measures to make it known to the authorities that such participant’s actions have been conducted in compliance with this policy.
5. Any non-compliance with the Code of Conduct may result in exclusion from the program. For minor breaches, a warning may be issued. For severe breaches, the organizers reserve the right to file criminal charges.