Nerd Level Tech logo
|
Lesson 3 of 24

Bug Bounty Fundamentals

Legal & Ethical Considerations

3 min read

Bug bounty hunting exists in a legal gray area. Understanding scope, safe harbor provisions, and ethical boundaries protects both you and the organizations you test.

Safe Harbor Basics

Safe harbor clauses protect researchers who:

  1. Stay within scope: Only test explicitly authorized assets
  2. Follow rules: Respect rate limits, don't access customer data
  3. Report responsibly: Submit findings through official channels
  4. Act in good faith: Intent is to improve security, not cause harm

Example Safe Harbor Language

"We will not initiate legal action against researchers who make a good faith effort to comply with this policy, including... avoiding privacy violations, destruction of data, and interruption or degradation of our service."

Always read the full policy before testing.

Scope Definition

In-Scope (Safe to Test)

  • Domains explicitly listed in program scope
  • Subdomains if wildcards are included (*.example.com)
  • Specific functionality mentioned (e.g., "authentication flow")

Out-of-Scope (Do Not Test)

  • Third-party services (AWS, Cloudflare, payment processors)
  • Physical attacks or social engineering (unless explicitly allowed)
  • Denial of Service testing
  • Customer data access beyond demonstration
  • Automated scanning at high volumes (unless permitted)

What Can Go Wrong

Action Consequence
Testing out-of-scope domains Account ban, legal action
Accessing customer data Criminal charges (CFAA violations)
Causing service disruption Ban + potential lawsuit
Publishing before disclosure period Reputation damage, legal risk
Using automated scanners recklessly IP ban, program removal

Jurisdictional Considerations

  • US: Computer Fraud and Abuse Act (CFAA) - broad interpretation
  • EU: GDPR affects how you handle any personal data found
  • Your country: Local laws may apply regardless of target location

Critical: Safe harbor only protects you if the program explicitly offers it. Vulnerability Disclosure Programs (VDPs) without bounties may still have legal protection.

Ethical Guidelines

  1. Minimize impact: Use the least invasive method to prove a vulnerability
  2. Don't hoard: Report findings promptly, don't stockpile for later
  3. Respect privacy: Don't read, copy, or share user data beyond proof
  4. No extortion: Never threaten to disclose if bounty isn't paid
  5. Credit others: Acknowledge prior research and collaborators

Documentation Practices

Always document:

  • Timestamp of discovery
  • Exact steps to reproduce
  • Evidence (screenshots, HTTP requests/responses)
  • Impact assessment
  • Any data accessed (redact sensitive info)

This protects you if your actions are ever questioned.

Next, we'll help you choose your first bug bounty program strategically. :::

Quiz

Module 1: Bug Bounty Fundamentals

Take Quiz