The Justice Department has released guidelines to help organizations design bug bounty programs. The Criminal Division’s Cybersecurity Unit has prepared this framework to assist organizations interested in instituting a formal vulnerability disclosure program.

It provides a rubric of considerations that may inform the content of vulnerability disclosure policies. The framework does not dictate the form of or objectives for vulnerability disclosure programs; different organizations may have differing goals and priorities for their vulnerability disclosure programs.

Instead, the framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act.

Vulnerability disclosure programs involving third-party vulnerability disclosure and hands-on—rather than remote—examination of software, devices, or hardware may raise legal issues not addressed by this guidance, which is focused on discovery and disclosure of vulnerabilities involving online systems and services.

For purposes of this document and consistent with the Common Weakness Enumeration definition, a “vulnerability” is an occurrence of a weakness (or multiple weaknesses) within software, in which the weakness can be used by a party to cause the software to modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness.