Is Finding Vulnerabilities in a Company That Has No Bug-Bounty Program Illegal?
Polish, EU & US Perspectives for Ethical Hackers (Updated 2025)

1. Why This Matters
Many ethical hackers still ask:
“I found a bug on a site that doesn’t run a bounty program. Am I already a criminal?”Short answer: No—if you do not exploit data, disrupt systems or demand ransom. But it is a gray zone; knowing the legal borders reduces risk for both sides.2. Polish Criminal Code (art. 267–268a) (as an example)
Art. 267 §1–3 k.k. criminalises unauthorised access to information only when accompanied by:1.Breaking / bypassing security, or
2.Wire-tapping, or
3. Physical interception (e.g., hidden mic).
Courts (e.g., SR Szczytno II K 25/22) emphasise intent to obtain content. Passive scans that don’t breach any barrier or copy data rarely meet the threshold.Practical take-aways (PL)
1. Activity Legal Outlook*
2. Passive recon (Shodan-style, no login bypass) Low risk
3. Nmap port scan, Vuln header check Still low – no protected info accessed
4. Manual proof-of-concept without exfiltration Gray – ask for consent first
5. Downloading DB / extorting Criminal (art. 267, 268a)*Assuming no private data is taken and no damage caused.3. EU & International Layer
Budapest Convention (2001)
Requires states to criminalise intentional and “without right” access. Intent matters: purely defensive research, no exploitation and voluntary disclosure greatly lower prosecution likelihood.NIS 2 Directive (2023)
Encourages—but doesn’t force—companies to publish disclosure policies. Absence of a bounty does not equal automatic prohibition; it merely means a researcher should contact via abuse@ or /.well-known/security.txt before deeper testing.4. United States:
Safe-Harbor Trend
CFAA historically broad, yet the DOJ 2022 policy explicitly declines to prosecute good-faith research.DMCA §1201 anti-circumvention still applies to DRM, but security-research exemptions (2021–2024 round) protect non-exploitative testing.What “good-faith” means (DOJ):
Goal = security improvementNo intent to extort, sell data or impair systemsReasonable time given to vendor before public disclosureMeet those and US federal risk ≈ zero.5. Why Prosecutors Rarely Pursue Pure ResearchersNo harm principle – no data stolen, no service disruption.Public-interest defense – courts weigh social benefit (CFAA cases often dropped when no damage).Intent evidence – logs, PoC limited in scope, respectful communication via e-mail/NDA—hard to prove “malice”.6. How to Stay on the Safe Side
Tip Reason
🔒 Don’t bypass login/2FA unless explicitly authorised Turns low-risk scan into “unauthorised access”
📨 Use security.txt or abuse@ before deep testing Shows good-faith intent
⏱ Give >90 days before public disclosure Mirrors Google & CERT norms; good optics
📑 Keep logs proving you never exfiltrated personal data Mitigates accusation of theft
🤝 Consider intermediaries (e.g., Secure Channel) for NDA & payment Removes banking / AML friction7. Conclusion
Pure vulnerability hunting is rarely illegal if:
1. no protected data is accessed,
2. no barriers are broken,
3. disclosure is voluntary and constructive.Laws in Poland, the EU and the US converge on intent and impact. Stay within good-faith boundaries and you’re extremely unlikely to face criminal charges—even when the company has no formal bug-bounty program.Sources / Further Reading
Polish Penal Code art. 267–268a (Dz.U. 1997).1. SR Szczytno II K 25/22 (2022).
2. Council of Europe Budapest Convention, ETS 185.
3. NIS 2 Directive 2022/2555.
4. DoJ 2022 CFAA Policy Statement (justice.gov).
5. DMCA §1201 Research Exemptions (US Copyright Office).