Welcome to the Workplace Blog!

In this Blog we write about topics from the Workplace Law and HR world: We discuss important court decisions and planned legislations, give practical tips and share with you experiences from our daily working life…

The team appreciates your comments and feedback. We are looking forward to a lively exchange!

Your PWWL editorial team

Christine Wahlig
Attorney at law
Editorial Management

Alice Tanke
Marketing Manager

Spotlights

Bounty hunters on the move – Bug Bounties in the employment relationship

MW_PWWL_einzeln_Z_62

Due to the increasing digitalisation of the ecomony and social life as a whole, software anomalies and errors can have considerable, sometimes even drastic impact. Malfunctions lead to interuptions in workflows. Security gaps make companies and other institutions vulnerable to cyberattacks by which data is stolen or systems are blocked with the intent to blackmail the data owner. According to the German Association for Information Technology, Telecommunications and New Media‘s (BITKOM) estimates, the German economy suffers an overall damage of 223 billion euros per year due to theft, espionage and sabotage; mainly caused by cyberattacks.

One instrument for prevention are so-called Bug Bounty Programmes. These programmes allow companies to offer monetary or in-kind rewards to motivate honest („ethical“) hackers to report bugs and weaknesses in their systems. By now, Bug Bounty Programmes are run by a large number of companies. Lists of current programmes are published on sites such as www.bugcrowd.comwww.hackerone.com or www.intigrity.com. Individual rewards can reach five to six figure amounts. According to media reports, Microsoft paid out rewards amounting to 13.6 million dollars to alltogether 341 hackers as part of its Bug Bounty Programme between 1 July 2020 and 30 June 2021.

It is still unclear how to deal with Bug Bounties in the employment relationship.

Legal nature of Bug Bounty Programmes

A Bug Bounty Programme allows a company to offer a reward to whoever detects a bug and reports it to the company. Bug Bounty Programmes are usually published on the company’s homepage and are therefore addressed to the general public („Open“ Bug Bounty Programmes). Additionally, there are programmes that are only open by invitation of the company („Closed“ Bug Bounty Programmes). Generally, bugs must be reported in accordance with certain requirements. Typically, it is assumed that initially only the company is informed by a bug report („Responsible Disclosure“). In doing so, the company has the opportunity to fix the bug, in particular to close the security gap, before others become aware of it.

In the sense of German civil law, Open Bug Bounty Programmes are thus to be classified in any case as „binding promises“ respectively „Auslobung“ (public offer of a reward), regulated in sections 657 sseq. BGB (German Civil Code). Accordingly, the offering party offers a reward by means of a public announcement for the performance of an act, in particular the achievement of a success. If a person performs the required act, s/he is eligible for the reward. The intention of the person to create legal relations is not important, knowledge of the reward is not even a prerequisite.

The company and the bounty hunter do not enter into an employment relationship or any other employment relationship subject to social security contributions through this process, even if the bounty hunter repeatedly participates in Bug Bounty Programmes of the same company. This is because the bounty hunter is neither integrated into the company’s operational processes nor is s/he subject to the company’s instuctions with regard to time and/or place of his/her activity. The fact that the Federal Labour Court (BAG) confirmed an employment relationship in December 2020 in the case of a so-called „Crowd Worker“ (also: „Platform Worker“) – which also included bug bounty hunters, depending on the defintion of the term and the design of the programme – (PWWL reported on this) should not change this result. The BAG justified the formation of an employment relationship in particular by stating that the Crowd Worker did not have sufficient freedom to organise the place, time and content of his/her work due to the simple nature of the work and the tightly timed requirements for the fulfilment of the task. This is obviously different with Bug Bounty Programmes.

More interesting from an employment law perspective, however, are the issues arising from the fact that the bounty hunter is in an employment relationship with another company and detects and reports the bug on behalf of his/her employer, in the exercise of his/her duties or in the course of his/her employment:

Bug Bounties in the employment relationship

If an employee detects a bug in the course of his/her professional activity, the question arises as to who is entitled to the reward, the employee or the employer.

Initially, this is unambiguous if the employer itself participates in a Bug Bounty Programme and deploys the employee for this purpose. In this case, the research is carried out directly on the employer’s instructions and the reporting of any bug respectively the bug report is carried out on its behalf. In case of success, the employer is entitled to the reward. However, this is probably a rare constellation in practice. It is not impossible for companies to participate in Bug Bounty Programmes, but so far only a few employers deploy their employees specifically for this purposes.

The case, where the employee is not directly instructed by his/her employer to identify bugs in the context of a Bug Bounty Programme, but detects such bugs in the course of his/her work under his/her employment contract, is not to be assessed differently. Situations may be considered in which the employee detects weaknesses in the employer’s customer’s systems while working for them. Here, too, the employer is entitled to a possible reward from a Bug Bounty Programme. This results from section 667 Alt. 2 BGB. According to this, the contractor is obligated to hand over to the employer everything that s/he obtains from the assignment. All benefits are covered which are attributable to the performance of the assignment via an internal connection and are thus assigned to the contractor. Section 667 Alt. 2 BGB is to be applied mutatis mutandis in the employment relationship according to settled case law. Accordingly, the employer is also entitled to a reward from a Bug Bounty Programme and the bug must be reported in the name of the employer. Of course, the employee must consult with the employer in advance, unless there are already arrangements for dealing with Bug Bounties in the employment relationship. 

And even if the employee detects bugs without any internal connection to his/her contractual duties, i.e. only in the course of his/her work for the employer, the employer is generally entitled to a reward. This applies in any case if the employee uses the employer’s resources, such as its hardware, for this purpose, even if only to a small extent. The decisive factor is whether an overall assessment of the circumstances of the individual case shows that the employer can be regarded as the beneficial owner. 

Only if the employee participates in a Bug Bounty Programme without any connection to his/her employment and outside his/her working hours with his/her own resources, s/he alone is entitled to a reward. However, it may be necessary to examine in individual cases whether this might be a secondary employment which requires the employer’s approval. 

Possibilities to handle this issue

So far, there is no case law on how to deal with Bug Bounties in the employment relationship. And the legal literature has also hardly dealt with the related issues. In order to avoid uncertainties, it therefore makes sense to adopt regulations for employees who are potential participants in Bug Bounty Programmes. Essential points can be

  • the employee’s obligation to obtain the employer’s consent for participation in a Bug Bounty Programme in each individual case,
  • modalities for reporting the bug and preparing the bug report on behalf of the employer,
  • the amount of working time the employee is allowed to spend on the participation in the Bug Bounty Programme and the priority given to other official duties,
  • an appropriate share of the employee in any rewards.

Corresponding regulations can be created through agreements with the employees. Since the points addressed are in principle covered by the employer’s right to issue instructions, however, a unilateral regulation by the employer, for example in the form of guidelines, is also possible. 

Conclusion

In principle, the employer is entitled to Bug Bounties earned by the employee in the course of or in connection with his/her contractual duties. Only if the employee participates in a Bug Bounty Programme in his/her free time and without using the employer’s resources s/he is entitled to a rewards. In order to avoid uncertainties, it makes sense to issue regulations for potentially interested employees on how to deal with Bug Bounties.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments