Drafting Bug Bounty (Ethical Hacking) Agreements

Where does the Lawyer come in?

The relationship between a corporate like Safaricom and an individual bug bounty hunter (ethical hacker) is a contract interpartes and is partially regulated under the Law of Contract Act. It is also governed by the Data Protection Act and the Computer misuse and Cybercrimes Act. Counsel comes in to regulate the conduct of the parties in the details of the relationships which are not currently fully anticipated by the law. Here are the core clauses to include in your Ethical Hacking (Bug Bounty Hunting) Agreements.

1.    Vendor Liability

The Corporate (eg. Safaricom) as a data controller remains liable for the protection of customer data. In the event of unlawful breach of Data Protection rights, then the corporate will be held liable for the acts of the Bug Bounty Hunter.

2.    Personal Liability for the Ethical Hacker

Negligence and Criminal offences committed by the hacker will be borne by the hacker. Much as the corporate is liable to the customer for data breaches, the hacker will be held personally liable for negligence and criminal acts arising out of the Computer Misuse Cybercrimes Act and the Data Protection Act.  For example, unauthorized disclosure of customer data will attract penalties and jail terms for the individual hacker.

3.    Non-Disclosure Agreement (NDA) clauses

The terms of the Standard Nondisclosure Agreement will apply. The Bug Bounty Hunter must place himself under the confidentiality terms under which the corporate has an obligation to comply with. Safety and privacy of data is crucial in this Agreement and stiff penalties must be imposed for unlawful disclosure of customer data. This in the understanding that the customer, in the event of such disclosure will seek remedies from the corporate, and the corporate must in turn be indemnified by the Bounty Hunter.

4.    Clause against Offensive Use

Private ethical hacking programs for corporates allow the corporate to have control over who engages their systems through a vetting exercise. Once the hacker (s) has been identified, the terms of participation in the bug bounty program must include a clause for non-offensive use. This protects the information discovered by the bug bounty hunter in the system or software against misuse, for example; selling it to competitors who are likely to exploit the information for their own interest.

5.    Undertaking to Uphold Ethical standards

The underlying concept in Bug Bounty programs is that the hackers/participants are ethical hackers and that they will uphold the best practice of ethical hacking and to fully comply with the law and contract.

6.    Duty to keep their discoveries Confidential

Inviting hackers to check your system for bugs is a risk in itself since they will have in their possession valuable information which can be exploited. Fortune 500 companies in particular are noticing an increase in attacks on the applications they've tried to protect with bug bounties. The Bug Bounty Agreement must have a clause requiring hackers to keep their discoveries confidential.

7.    Duty to seek Authorization before accessing the system

An ethical hacker must seek authorization from the organization that owns the system. Hackers should obtain complete approval before performing any security assessment on the system or network. What sets ethical hackers from black hat hackers is the authority to access a corporate’s systems, which otherwise amounts to unlawful access under the Computer Misuse and Cybercrimes Act.

8.    Duty to Report all Findings

The Agreement should ensure that the ethical hacker has an obligation to report any security breaches and vulnerabilities found in the system or network. Fines for non-disclosure may also be set.

9.    Duty to Erase Traces

The ethical hacker should be under a duty to erase all traces of the hack after checking the system for any vulnerability. This prevents malicious hackers from entering the system through the identified loopholes through poorly protected findings held by the ethical hacker. Once the report has been shared with the corporate, traces of it should be erased.

There you have it, ladies and gentlemen!

Written by Elixa on Tuesday May 14, 2024

Permalink -

« Data Controller Vs. Data Processor - How Far Can Lawyers Go In Adopting Legal Tech? »