In the burgeoning digital landscape of Nepal, software and system development plays a crucial role. However, the security of these programs hinges on the ability of ethical hackers and security researchers to identify and report vulnerabilities, commonly known as “bugs.” But here’s the rub: is reporting such bugs legal in Nepal, if we report bug can they file law suit against us?
This question remains an unanswered one, shrouded in legal ambiguity. The absence of specific regulations governing the process of disclosing software vulnerabilities creates a precarious situation for both security researchers and businesses operating in Nepal’s digital space. However, in the current legal landscape, there are prospects to explore the ethical considerations, and underscores the need for a clear framework for responsible bug reporting in Nepal.
This ambiguity discourages ethical hackers, also known as bug hunters, from disclosing vulnerabilities they discover. Without a legal framework that protects their actions, these researchers face the potential of being misconstrued as malicious hackers, leading to legal consequences. This not only hinders the process of identifying and fixing software vulnerabilities but also creates a culture of fear and hinders the development of a robust cybersecurity ecosystem in Nepal.
The lack of clear regulations also poses challenges for businesses. On one hand, companies are increasingly reliant on secure software to protect sensitive data and maintain consumer trust. Unreported bugs leave these businesses vulnerable to cyber-attacks and data breaches, potentially leading to significant financial losses and reputational damage.
On the other hand, the absence of a legal framework for responsible bug bounty programs creates uncertainty for businesses unsure how to react to bug reports. This creates a tangled situation where both bug hunters and businesses operate with apprehension, hindering the overall security posture of Nepal’s digital infrastructure.
Is reporting such bugs legal in Nepal?
If we are serving direct answer, it is not illegal to report bug in Nepal. However just stating this line will not save any one to get in legal action, as one of the supreme law of Nepal which is constitution of Nepal 2015.
If we observe Article 48, Duties of citizens: Every citizen shall have the following duties: (a) to safeguard the nationality, sovereignty and integrity of Nepal, while being loyal to the nation, (b) to abide by the Constitution and law, (c) to render compulsory service as and when the State so requires, (d) to protect and preserve public property, as if we observe clause (d) it says that to protect and preserve public property, if the public property is divided then it will divide in two part i.e. digital public property and physical public property, and our law says to protect and preserve public property then it will directly reference that to protect digital public property also, so if we go through this line it can be said that reporting bug or vulnerabilities in public digital property which can be either system, software, website then it is not illegal, but in context of private property it may considered illegal but the thing is law is silence in this situation and if law is silence then it can be said to be illegal, as we have heard one principle i.e. no law no crime inorder to be establishment to crime there should be certain law which should prohibit it.
If we report bug can they file law suit against us?
Whether someone can file a lawsuit against you for reporting a bug depends on a few key factors:
- Nature of the system/software: As your previous analysis highlighted, reporting vulnerabilities in public systems/infrastructure is more likely to be viewed as a civic duty under Nepal’s law. However, if it involves a private company’s system, they may take a different view.
- How the vulnerability was discovered: If you used unlawful methods like hacking or bypassing security measures to find the bug, the company could potentially file suit alleging unauthorized access or computer crimes.
- Your intentions: If your intent was clearly malicious, such as trying to exploit the bug for personal gain or to cause damage, legal action becomes more likely. However, if you discovered it incidentally and reported it responsibly, that weighs against a lawsuit.
- Disclosure process: Following proper vulnerability disclosure processes by notifying the company privately first before any public disclosure reduces legal risk significantly versus publicizing it without notice.
- Actual damages: For a lawsuit, the company would need to show they suffered compensable damages from your actions.
In general, if you discover a bug in good faith, report it responsibly through proper channels to allow remediation, and did not use unlawful methods or have malicious intent, the legal risk of a lawsuit should be low, especially for public systems. Responsible disclosure following industry best practices provides strong protection.
However, the risk increases if the vulnerability was in a private system, discovered through unlawful means, publicly disclosed before notice, or if intent/actions appear malicious. Companies may still pursue legal action in those cases, even if chances of winning are low, to discourage others.
There is an inherent tension between the need to test for vulnerabilities in order to discover and report them responsibly, and laws that prohibit unauthorized access to computer systems but the main thing is responsibly researching vulnerabilities under controlled conditions with permissions does not equate to unlawful “unauthorized access” criminalized by computer crime laws. It is an explicitly authorized and contractually bounded process. The fundamental premise is that ethical security research aimed at identifying and responsibly disclosing vulnerabilities provides a broader societal benefit by allowing critical systems to be secured. This serves the public interest. The apparent contradiction by arguing that responsible vulnerability discovery activities, conducted with proper scope, permissions and disclosure processes, do not actually constitute “unauthorised access” in a legal sense.
If breaches occur can an individual (whose data has been leaked) also can file suit against the hacker and the company whose database has been leaked?
An individual whose personal data is compromised in a data breach may have legal recourse to file civil lawsuits against both the malicious hacker responsible for the breach as well as the company that failed to adequately protect their data. Regarding the hacker, they can potentially be sued for criminal violations like unauthorized computer access, theft of data, and privacy violations that resulted in harm to the individual. As for the company, they have a duty to implement reasonable data security measures, and can face negligence claims if lapses in their security practices directly enabled the preventable breach. The individual can argue the company breached contractual obligations, violated data privacy laws, and failed to meet statutory requirements around safeguarding personal information. While the hacker faces criminal culpability, the company’s liability centers on not adhering to an appropriate standard of care in data protection that resulted in the exposure of the individual’s sensitive information. The ability to pursue this dual-track legal action provides recourse for victims when both a criminal act and a company’s negligence contributed to a data breach and privacy violation.
Nepal’s perspective:
The main reference can be taken of Privacy Act of Nepal:
Based on my reading of the Privacy Act, 2075 (2018), an individual whose personal data has been leaked can potentially file a lawsuit against both the company that suffered the data breach as well as the hacker responsible, under the following provisions:
- Against the Hacker:
Section 29(1) lists various acts that are considered offenses under this Act. Clause (r) states “Any act contrary to sub-sections (1), (3) and (7) of Section 23” is an offense. Section 23 prohibits collecting, storing, analyzing or publishing personal information except by authorized officials or with consent. A hacker illegally accessing and leaking personal data would violate this provision.
- Against the Company:
Section 25(1) states “The personal information that has been collected by any public body or remained under the responsibility or control of such a body shall be protected by such body.
Section 25(2) requires public bodies to implement appropriate security measures to prevent unauthorized access, use, disclosure etc. of personal data under their control. Section 31(1) allows the concerned person/victim to file a complaint to the District Court to claim compensation for any “damage, loss or injury” caused due to offenses committed under this Act. So an individual can file a complaint against the hacker under Section 29 for illegally accessing/leaking personal data. And they can file a complaint against the company under Sections 25 and 31 for failing to adequately protect the personal data under its control, which led to the data breach and subsequent damages to the individual. This allows individuals to potentially pursue legal recourse against both the perpetrator (hacker) who directly breached their privacy as well as the company that failed in its duty to safeguard the personal data, leading to the breach.
While Nepal lacks a dedicated bug bounty/vulnerability disclosure law, a reasoned legal interpretation suggests reporting public system vulnerabilities responsibly may be permissible, but private system vulnerabilities exist in a grayer area of the law. Individuals have recourse options after data breaches. However, clear legislation specifically governing ethical hacking and coordinated vulnerability disclosure would provide much-needed clarity for all stakeholders in Nepal’s digital ecosystem.
