Vulnerability Disclosure Policies and Bug Bounty Programs: Legal Protections for Ethical Hackers Under Indian Law

Introduction

Security research is a public good. The identification and disclosure of software vulnerabilities before malicious actors exploit them protects individuals, organisations, and governments from harm. Ethical hackers, penetration testers, and security researchers perform this work as a profession, a vocation, or a civic contribution. The tension in their legal position is acute: finding a vulnerability in a system necessarily involves activities that could constitute unauthorised access under computer crime statutes, yet the alternative, an ecosystem where vulnerabilities go unreported because researchers fear prosecution, is demonstrably worse for everyone.

This tension between the social value of security research and the letter of computer crime law has been recognised globally but has been resolved differently across jurisdictions. The United States has grappled with it through the Aaron Swartz case, the Department of Justice’s prosecutorial guidance revisions, and the Supreme Court’s reinterpretation of the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States (2021). The United Kingdom has engaged in sustained debate about reforming the Computer Misuse Act 1990. The European Union has addressed it through the EU Cybersecurity Act and the NIS2 Directive’s vulnerability disclosure provisions.

India has made partial progress. The CERT-In’s Responsible Vulnerability Disclosure and Coordination Policy, issued in 2024, represents a meaningful institutional acknowledgment of the problem. Government entities have established bug bounty programs. The private sector runs formal security testing programs. Yet the fundamental statutory gap remains: the IT Act, 2000 does not contain a responsible disclosure safe harbour, and a security researcher who discovers and reports a vulnerability in a banking system, a government portal, or a critical infrastructure operator does so without any legal protection if the system owner chooses to treat the report as an admission of unauthorised access.

Legal Framework

Section 43 of the IT Act, 2000 imposes civil liability on any person who, without the permission of the owner or person in charge of a computer or computer network, accesses or secures access to it. The provision applies to a range of acts including accessing the computer, downloading data, introducing a computer contaminant, causing damage, disrupting access, and assisting in any of the foregoing. The civil penalty is compensation to the affected party.

Section 66 creates the corresponding criminal offence: dishonestly or fraudulently doing any act referred to in Section 43. The addition of the mental element, dishonesty or fraud, is the principal distinction between civil and criminal liability under the Act. However, the definition of dishonesty in the Indian context (from the Indian Penal Code: with the intention of causing wrongful gain to one person and wrongful loss to another) and fraud (inducing a person to do something against their interests by deceit) are broad enough that the mens rea threshold can be satisfied in contexts well short of malicious hacking.

The problem for ethical hackers is that the Section 43 civil liability does not require any mental element: civil liability for unauthorised access is strict. Even if a security researcher accesses a system to identify and report a vulnerability with entirely good intentions, they may face a civil claim for compensation if the system owner objects. The Section 66 criminal threshold requires dishonesty or fraud, which provides some protection to genuinely well-intentioned researchers, but the threat of a criminal investigation, even one that ultimately fails to result in prosecution, is itself a serious deterrent to security research.

The Bharatiya Nyaya Sanhita (BNS), 2023 repealed and replaced the Indian Penal Code but did not significantly alter the landscape for computer-related offences, which remain primarily governed by the IT Act.

Judicial Developments

Indian courts have not yet definitively adjudicated a case where a security researcher faced prosecution for responsible vulnerability disclosure. The closest analogues are cases involving disclosure of security vulnerabilities in government systems, which have typically been resolved through prosecutorial discretion rather than judicial determination of legal principles.

Several Indian security researchers have reported experiences of receiving legal notices or facing informal police inquiries after disclosing vulnerabilities in private sector or government systems, even where the disclosure was made through responsible channels and the vulnerability was fixed. These experiences, while not resulting in published judgments, illustrate the chilling effect of the legal uncertainty. A researcher who finds a serious vulnerability in a banking system’s API knows that reporting it to the bank carries a risk that the bank will deny having authorised the research and file a complaint, leaving the researcher to defend a criminal investigation.

The Delhi High Court’s interpretation of Section 43 in Sanjay Kumar Kedia v. Narcotics Control Bureau (2008) and related decisions established that access without authority requires that the access be to a computer resource for which the accessing person has no authorisation, express or implied. The implied authorisation concept is significant: if a website’s terms of service do not expressly prohibit security testing but also do not authorise it, does a security researcher who tests the site have implied authorisation? Courts have not provided a clear answer.

The Supreme Court in R. Rajagopal v. State of Tamil Nadu (1994) and the subsequent right to privacy jurisprudence culminating in Puttaswamy (2017) have established that fundamental rights considerations apply to the state’s exercise of its coercive powers, including criminal investigation. A security researcher facing prosecution for responsible disclosure might invoke Article 19(1)(g) (freedom of trade and profession) and the proportionality principle from Puttaswamy to challenge the application of Section 66 to good-faith security research.

Contemporary Issues and Analysis

The CERT-In’s Responsible Vulnerability Disclosure and Coordination Policy (RVDCP), issued in 2024, is the most significant recent development in this space. The Policy establishes a process through which security researchers can report vulnerabilities in systems operated by government entities through CERT-In as an intermediary, with a 90-day disclosure timeline before public release of vulnerability details. CERT-In will coordinate with the affected organisation to remediate the vulnerability and will acknowledge the researcher’s contribution.

However, the RVDCP contains a critical limitation: it creates a process and an acknowledgment mechanism but does not create a legal safe harbour. Researchers who follow the RVDCP process have no statutory immunity from prosecution by either the system owner (for the initial access that identified the vulnerability) or by the state (under Section 66). The Policy represents an executive-level commitment to treat such disclosures favourably, but it is not legally binding on law enforcement or on private parties.

This limitation distinguishes the Indian RVDCP from more protective models elsewhere. A policy document that creates an informal expectation of non-prosecution is not equivalent to a statutory provision or a formal prosecutorial guideline that creates a binding commitment. A researcher who discovers a vulnerability in UIDAI’s Aadhaar systems and reports it through CERT-In’s RVDCP process has some institutional protection but no legal protection if UIDAI or the government chooses to treat the discovery as an intrusion.

Bug bounty programs operated by Indian government entities including the National Informatics Centre (NIC) and UIDAI, and by private sector entities including Flipkart, PhonePe, and several fintech companies, provide a more concrete, if limited, form of protection. A researcher who operates within a bug bounty program’s scope and rules has received authorisation, resolving the Section 43 authorised access problem for in-scope systems. The legal limitation is that most bug bounty programs are narrow in scope; they cover specific applications or systems and exclude others. A researcher who discovers a vulnerability outside the declared scope, even if they report it responsibly, does not benefit from the authorisation the program provides.

The United States experience with the Aaron Swartz case has become a global touchstone for the problems with computer crime statutes that do not accommodate good-faith security and information access research. Swartz, a programmer and internet activist, was indicted under the CFAA for accessing MIT’s network to download academic articles from JSTOR. He faced up to 35 years in prison. He died by suicide in 2013 while the prosecution was pending. The case galvanised reform efforts in the US and internationally, though the CFAA was not significantly amended until the Supreme Court’s Van Buren decision narrowed its reach.

Comparative and International Perspective

The Computer Fraud and Abuse Act in the United States was, before Van Buren, interpreted broadly enough to criminalise terms-of-service violations. The Supreme Court in Van Buren v. United States (2021) held that the “exceeds authorised access” provision of the CFAA applies only to persons who access computer areas they are not permitted to access, not to persons who access permitted areas for impermissible purposes. This narrowing interpretation provides some protection to security researchers who access systems they are authorised to access, but the CFAA’s basic structure still creates liability for unauthorised access.

The Department of Justice issued revised prosecutorial guidance in 2022 expressly stating that it would not bring cases under the CFAA “where the defendant’s conduct consisted of good-faith security research.” Good-faith security research is defined as accessing a computer for purposes of testing, investigating, or correcting a security flaw or vulnerability, where such conduct is carried out in a manner designed to avoid harm to individuals and organisations, and where the information derived is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs.

The UK’s Computer Misuse Act 1990 has faced sustained reform pressure from the security research community. The Act criminalises unauthorised access to computer material without a good-faith security research defence. The Law Commission recommended in 2020 and 2022 that a statutory defence for good-faith security research be introduced, and the government conducted consultations through 2023-2024. As of early 2026, legislative amendment remained pending but represented a political commitment that India lacks.

Germany’s approach is more permissive by statute: Section 202a of the German Criminal Code (Strafgesetzbuch) criminalises access to data that is specially protected against access, where the access is without authorisation. Courts have interpreted “specially protected” narrowly, meaning that access to data that is technically accessible (even if not intended to be) may not meet the criminal threshold. German HackerOne-enabled programs have operated in relative legal safety under this interpretation.

The EU Cybersecurity Act and the NIS2 Directive both encourage coordinated vulnerability disclosure and require member states to have vulnerability disclosure policies. The EU’s European Union Agency for Cybersecurity (ENISA) has published guidance on establishing national Coordinated Vulnerability Disclosure frameworks that include legal protections for researchers who act in good faith and within defined parameters.

Practical and Policy Implications

For security researchers operating in India, the practical risk management approach involves seeking explicit written authorisation before testing any system not covered by a formal bug bounty program, scrupulously following CERT-In’s RVDCP process for government system disclosures, documenting all research activities in a manner that demonstrates good-faith intent, and seeking legal counsel before making any disclosure that may be contentious.

Professional penetration testing firms operate under engagement letters that provide contractual authorisation for their activities, substantially resolving the Section 43 problem for their contracted work. Independent researchers who discover vulnerabilities without prior authorisation are in a more difficult position.

For organisations running bug bounty programs, the scope definition is legally critical. A well-drafted scope that clearly defines in-scope systems, authorised testing techniques, and prohibited actions provides the authorisation that removes Section 43 liability for in-scope research. Programs that provide monetary rewards should document the reward as a payment for authorised services rendered, creating a contractor relationship rather than a gratuity.

Suggestions and Reforms

The most important reform is the enactment of a statutory good-faith security research defence in the IT Act. The defence should protect individuals who: access a computer or computer network for the purpose of identifying a security vulnerability, take reasonable steps not to cause harm to the system or its users, and promptly disclose the vulnerability to the system owner or CERT-In through a prescribed process. The defence should be available regardless of whether the access was technically authorised, provided the researcher acted in good faith and disclosed responsibly.

CERT-In’s RVDCP should be elevated to a formal legal instrument, such as a rule under Section 87 of the IT Act, that creates binding obligations on both researchers (to follow the disclosure process) and system owners (not to bring civil or criminal action against researchers who comply). The binding commitment should be on system owners: a system owner that participates in the RVDCP process and receives a disclosure should be prohibited from pursuing civil or criminal action against the disclosing researcher for the disclosing act.

The government should establish a national bug bounty platform, operated by CERT-In or NCIIPC, covering all government digital systems and providing meaningful financial rewards calibrated to vulnerability severity. Singapore’s Government Bug Bounty Programme provides a useful model.

Conclusion

The legal protection of security researchers in India remains inadequate. The combination of broad unauthorised access provisions, the absence of a statutory good-faith defence, and the dependence on informal administrative protections that are not legally binding creates a chilling effect on responsible security research. The harms from this chilling effect are diffuse but real: vulnerabilities that are found but not reported, or reported privately to system owners who choose to suppress rather than fix them, remain exploitable by malicious actors.

The international trajectory is clear: countries are moving towards creating statutory safe harbours for good-faith security research, establishing formal coordinated vulnerability disclosure frameworks, and operating meaningful bug bounty programs. India has begun this journey with the RVDCP and government bug bounty programs, but the absence of statutory reform leaves the legal position of researchers fundamentally insecure. Legislative action to close this gap is overdue.

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these