Cyber Law Compliance Center
Promoted by www.naavi.org
Model Bug Bountyn Policy
[Version: 26th March 2016]
Bug Bounty Policy
This “Company” ………………..<name of Company> is a voluntary member of Naavi’s Cyber Law Compliance Center and adopts the following model policy.
This “Bug Bounty Policy” applies to any software that is released by the Company under the brand …………. <Name of the Brand> for public use and used in accordance with the End user License Agreement (EULA) accompanying such software.
The Company is committed to the highest traditions of quality and professional ethics as to the release of any software under the brand …….. and follows the best industry practices to ensure quality of its products.
As a measure of our commitment to quality, we have initiated several measures to adequately test any product released for public use to detect and eliminate any software bugs that might have inadvertently been left undetected in the process of development.
However, we recognize that due to the dynamic nature of the user’s technology environment and the inherent nature of software which is dependent on many other tools and factors of use both at the time of development and use, certain bugs may remain and may come to be detected by an alert user.
This policy is intended as a further continued voluntary measure towards improvement of the software quality.
It is recognized that as per the general End User License Policy used by the Company, any person who identifies any such “Bug” is duty bound to immediately bring it to the knowledge of the Company and refrain from making any wrongful gain out of the detected bug and any such attempt shall be regarded as a potential offence under law.
This policy is intended to reward any person who brings to our knowledge the presence of any defect or software bug that affects the functionality of our software, in order to encourage technological advancement and to prevent possible misuse of the bug by unethical persons.
A “Software Bug” or simply a “Bug” as used in the context of this policy refers to any error, flaw, failure or fault in a computer program or system developed by or used in the services of the Company that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.
The Company has constituted a “Bug Bounty Committee” which will evaluate every report of a suspected “Bug” and its decision on whether any process or functionality is a “Bug” under the above definition shall be considered as “Final and Binding” on all parties.
The Bug Bounty Committee shall consist of such persons as the Company may determine and shall include the CEO and CFO of the Company, besides at least one of the Directors of the Company and one or more External Experts.
Procedure for Reporting
Any person intending to report a bug shall inform the company at the e-mail address ………. <Designated E Mail Address> indicating the name and address of the person reporting and the brief description of the bug.
On receipt of the mail, Company will
a) Register the report as a potential “Bug Bounty Claim”
b) Acknowledge the person reporting the bug and
c) Forward the claim details to the Bug Bounty Committee for further action
d) The report will be reported as a “Security Incident” under the Information Security Policy and the Information Security team shall initiate appropriate action from the Information Security perspective, reporting the developments to the Bug Bounty Committee for its information until it is fully resolved from the Information Security perspective.
The Bug Bounty Committee shall initiate immediate action for investigation of the reported “Bug” as it deems fit.
Where necessary the Committee will call for further information from the reporter to find out all aspects of the reported bug.
Responsibilities of the Reporter
It shall be the duty of the Bug Reporter to maintain secrecy and confidentiality of the Bug and shall not disclose any information thereof except with the written permission of the Company.
The Bug reporter shall cooperate with the Committee to assist in the investigation by recreating the exact environment in which the Bug Behaviour was observed.
The Bug Bounty Committee will send its resolution report to the Bug Reporter which will indicate the action taken by the Company and whether or not the information is free to be released in the public domain and to the extent of public disclosure that would be permitted from the end of the Bug Reporter.
Any unauthorized and premature disclosure of information about the Bug whether real or otherwise shall be considered as a breach of the conditions of the End User Licence Policy and this Bug Bounty Policy and the Company shall be free to take such actions as it may deem fit including denying the reward under this policy and initiating any other action as may be found necessary.
It is further notified that any disclosure of a bug could result in its misuse by unscrupulous elements and could constitute an “Assistance” to commit crime, attracting action by the law enforcement authorities independent of any action taken by the Company.
On appropriate evaluation of the Bug Report by the Bug Bounty Committee, a report will be submitted by the Committee to the Board of Directors indicating
a) Whether the reported Bug qualifies for the reward
b) The potential benefit of its detection
c) Recommended reward
The reward normally may consist of
a) Letter and Certificate of Appreciation
b) A Financial Bounty
When the Committee is not in agreement if the reported defect qualifies to be called as a “Bug” or if it determines that the “Bug” was a benign bug unlikely to cause any material damage to any member of the public, the Committee may decide to
a) Refuse the claim stating the reasons
b) Consider a complimentary award in appreciation which may involve a nominal financial benefit
c) Any other action or reward that the Committee may find it appropriate.
The Board of Directors shall consider the report and approve an action plan based thereon. It would be open to the Board of Directors to accept, reject or modify the recommendations of the Bug Bounty Committee.
The CEO of the Company shall implement the plan of action as approved by the Board and convey the same to the Bug Reporter along with the Certificate and the Reward as may be required.
As regards the action initiated by the Company on the reported Bug, the decision of the Board of Directors shall be considered as final and binding on all parties and will override the recommendations of the Bug Bounty Committee.
In case of any grievance arising out of this Policy, the CEO shall be responsible to initiate necessary remedial action within 3 working days of receipt of the grievance.
Where necessary the Company may seek the assistance of an Ombudsman to resolve the issue through mediation failing which the dispute shall be resolved through online arbitration at www.odrglobal.in under the guidelines of Arbitration and Mediation Act 1996 as amended.
P.S: This document is created by Naavi and all rights of usage are reserved. Any person intending to use this document shall contact Naavi and obtain necessary permission.
If you intend using any of these documents, the documents can be licensed upon request.
The license to use the documents may be provided free for non commercial use.
Requests may be sent to naavi along with particulars such as the Name and contact details of the persons making the request and the purpose of use.