Bug bounty programs offer a way for security researchers to scan online services for security problems and report any vulnerabilities. However, Swiss criminal law does not provide for this – on the contrary: Article 143bis StGB is explicitly directed against unauthorized intrusion into a third-party data processing system:
Any person who, by means of data transmission equipment, unauthorizedly intrudes into a foreign data processing system that is specially secured against this access, shall be punished, upon application, by imprisonment for up to three years or a fine.
StGB 143bis – https://www.admin.ch/opc/de/classified-compilation/19370083/index.html#a143bis
Professional penetration testers are regularly confronted with this norm in the course of their work. However, due to the contract between them and the owner of the systems, the problem is mitigated.
For bug bounty hunters, the situation is different, because at the moment of the investigation of the foreign system, they are basically not in a regulated contractual relationship and must therefore, in the worst case, expect prosecution by the owner of the investigated system.
To be sure, international prosecution for cybercrimes is lengthy and rarely sought. However, criminal law poses a tangible threat to domestic researchers.
This problem also arises in other jurisdictions. Internationally, the Israeli-American researcher Amit Elazari in particular has drawn attention to the need for a «legal safe harbor» for bug bounty programs.
A guide from the Dutch National Cyber Security Center (NCSC) is exemplary. It explains how bug bounty programs can be organized under Dutch law.
A corresponding template is missing for Switzerland. In the run-up to its bug bounty program, Swiss Post has already given intensive thought to this topic in 2018 and applies a code of conduct for bounty hunters. It obligates the researchers to behave in accordance with the rules within the scope of the bug bounty program. If this behavior is given, Swiss Post undertakes in return to refrain from any criminal prosecution and, in addition, to provide legal assistance to the researchers should a corresponding prosecution be initiated by a third party.
We have reviewed this Legal Safe Harbor and, in agreement with the Swiss Post, present here an exemplary form that can be used for other bug bounty programs in Switzerland:
Consequences of complying with the Code of Conduct (Legal Safe Harbor)
- The owner will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good faith violations of the Code of Conduct
- The owner interprets activities by participants that comply with the Code of Conduct as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis and 144bis.
- The owner will not file a complaint against participants for trying to circumvent the security measures deployed in order to protect the services in-scope for this program.
- If legal action is initiated by a third party against a participant and the participant has complied with the Code of Conduct as outlined in this document, the owner will take the necessary measures to make it known to the authorities that such participant’s actions have been conducted in compliance with this policy.
- Any non-compliance with the Code of Conduct may result in exclusion from the program. For minor breaches, a warning may be issued. For severe breaches, the organizers reserve the right to file criminal charges.
The Legal Safe Harbor is provided under Attribution 4.0 International (CC BY 4.0). Commercial use and modification of the text are permitted as long as www.bugbounty.ch is credited as the source.
In fact, the Post’s wording has already been adopted as well. MELANI / NCSC uses this for the Public Security Test (PST) of the SwissCovid Proximity Tracing System.
However, two of the above entries were apparently changed to the testers’ disadvantage. Since the test of the tracing system is primarily about a source code analysis and the servers of the Federal Office of Public Health are outside the scope, protection from prosecution plays a less important role. Therefore, MELANI / NCSC has deleted the fourth point and omitted the gradation in the fifth point (minor breaches). Both seem reasonable to us in the specific case.
In contrast, however, it is important for regular bug bounty programs to adopt the relevant passages: This is the only way to ensure that domestic testers are protected from prosecution.