{"id":2462,"date":"2020-10-06T17:30:57","date_gmt":"2020-10-06T15:30:57","guid":{"rendered":"https:\/\/www.swisscyberstorm.com\/?p=2462"},"modified":"2020-10-07T09:51:52","modified_gmt":"2020-10-07T07:51:52","slug":"legal-safe-harbour-for-swiss-bug-bounty-programs","status":"publish","type":"post","link":"https:\/\/www.swisscyberstorm.com\/2020\/10\/06\/legal-safe-harbour-for-swiss-bug-bounty-programs\/","title":{"rendered":"Legal Safe Harbour for Swiss Bug Bounty Programs"},"content":{"rendered":"\n<p>We ran last year&#8217;s Swiss Cyber Storm under the motto &#8220;Embracing the Hackers&#8221;.\u00a0 One of the topics we covered was Bug Bounty Programs. A BBP is often seen as a standard element of a comprehensive application security program. But they are also mostly unheard of in Switzerland.<\/p>\n\n\n\n<p>We\nhad very good feedback for this motto and we are indeed seeing some movement on\nthe Bug Bounty front. More and more programs are popping up and more companies\nare actively thinking about launching a private or even a public program.<\/p>\n\n\n\n<p>One\nremaining issue, that is often quoted as a roadblock, is the legal situation\naround Swiss criminal law article 143bis. This makes almost any sort of hacking\nillegal. A port scan might be OK, but trying out a simple SQLi can be enough to\nbe charged a felony. And given it&#8217;s the criminal law even third parties can\nsend the police after a bounty hunter.<\/p>\n\n\n\n<p>So\nsetting up a bug bounty program can mean that you expose the Swiss bug bounty\nhunters to legal jeopardy.<\/p>\n\n\n\n<p>A welcome way to solve this problem would be to make 143bis more hacker-friendly. Check out the website 143bis.ch for a thorough legal analysis of the problem.<\/p>\n\n\n\n<p>A temporary remedy is to come up with a wording, that\ncan be used as a legal safe harbor within a Swiss Bug Bounty Program.<\/p>\n\n\n\n<p>Bug Bounty Switzerland has published such a text: a wording they received from Swiss Post and that they release under a Creative Commons license (Attribution 4.0 International: CC BY 4.0). Feel free to copy and use this in your bug bounty program. But make sure to link <a href=\"https:\/\/www.bugbounty.ch\/legal-safe-harbor\/\">https:\/\/www.bugbounty.ch\/legal-safe-harbor\/<\/a> as your source.<\/p>\n\n\n\n<p>Here is the text you can copy 1:1 :<\/p>\n\n\n\n<h2>Consequences of complying with the\nCode of Conduct (Legal Safe Harbor)<\/h2>\n\n\n\n<p>1. The owner will not take civil action or file a complaint\nwith law enforcement authorities against participants for accidental, good\nfaith violations of the Code of Conduct<\/p>\n\n\n\n<p>2. The owner interprets activities by participants that comply with the Code of Conduct as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis, and 144bis.<\/p>\n\n\n\n<p>3. The owner will not file a complaint against\nparticipants for trying to circumvent the security measures deployed in order\nto protect the services in-scope for this program.<\/p>\n\n\n\n<p>4. If legal action is initiated by a third party against a participant and the participant has complied with the Code of Conduct as outlined in this document, the owner will take the necessary measures to make it known to the authorities that such participant\u2019s actions have been conducted in compliance with this policy.<\/p>\n\n\n\n<p>5. Any non-compliance with the Code of Conduct may result in exclusion from the program. For minor breaches, a warning may be issued. For severe breaches, the organizers reserve the right to file criminal charges. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>We ran last year&#8217;s Swiss Cyber Storm under the motto &#8220;Embracing the Hackers&#8221;.\u00a0 One of the topics we covered was Bug Bounty Programs. A BBP is often seen as a standard element of a comprehensive application security program. But they [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/posts\/2462"}],"collection":[{"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/comments?post=2462"}],"version-history":[{"count":2,"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/posts\/2462\/revisions"}],"predecessor-version":[{"id":2466,"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/posts\/2462\/revisions\/2466"}],"wp:attachment":[{"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/media?parent=2462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/categories?post=2462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.swisscyberstorm.com\/wp-json\/wp\/v2\/tags?post=2462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}