What do you mean by “bug bounty”?
“Bug bounty” is a friendly, structured deal between an organization and independent security researchers: you look for security weaknesses (bugs) in their digital systems, you report them responsibly, and—if your finding meets the rules—they may reward you with money, swag, or public recognition. It’s not the same as randomly poking at any website on the open internet. Proper bug bounty happens under clear rules of engagement: defined scope (which assets you can test), allowed methods (what you’re permitted to do), reporting channels (how to submit), and safe-harbor language (what legal protections the program offers when you play by the rules). In short, bug bounty is a collaboration model to reduce risk, not a license to hack anything. Reputable platforms and policies also distinguish between “bug bounty” (with potential monetary rewards) and “vulnerability disclosure programs/VDPs,” which let anyone report issues but don’t always pay cash rewards. These shared norms—scope, permission, and responsible disclosure—are the backbone of ethical hacking worldwide and the key to staying on the right side of the law.
So… is bug bounty legal in Indonesia (short answer)?
Yes—when you have permission and stay within scope. Indonesia’s laws clearly prohibit unauthorized access, interception, and alteration of electronic information. That means ad-hoc “testing” of systems you don’t have permission to probe can cross legal lines. The safe way is to hunt only on assets that explicitly allow testing (for example, a company’s bug bounty program or VDP page). Indonesia’s Electronic Information and Transactions Law (UU ITE) criminalizes accessing electronic systems without authorization and related acts; penalties are significant, so consent is non-negotiable. If you stick to authorized targets and responsible processes defined by the program, your activity aligns with lawful, good-faith research.
How does bug bounty actually work (step by step)?
First, a company publishes program rules—either a paid “bug bounty” or a non-monetary “VDP.” Those rules list the in-scope systems (e.g., app.example.com), testing limitations (e.g., no DDoS, no social engineering), severity rating method, reward tiers (if any), and a submission channel. You, the researcher, set up a lab (proxy, intercept tool, separate test accounts), test only what’s in scope using allowed techniques, and carefully avoid sensitive data exposure. When you find a vulnerability, you report it privately with clear steps to reproduce, impact assessment, and remediation hints. The security team triages your report, asks questions, reproduces the issue, and fixes it; then you may get a bounty or a thank-you. Many programs include “coordinated disclosure,” allowing public write-ups after a fix and within the program’s timeline, which helps the community learn without putting users at risk. These rules exist to keep everyone aligned and to separate ethical research from prohibited conduct.
What is known about Indonesian law that matters for hunters?
Three pillars matter most. (1) UU ITE (Law No. 11/2008 and its amendments) criminalizes unauthorized access, interception, and tampering with electronic systems and data; penalties under Articles 46–48 can include multi-year imprisonment and substantial fines. (2) PP 71/2019 (Government Regulation No. 71/2019) governs how electronic system operators must run and secure their systems, which is relevant context for what “good practice” looks like for organizations that host bug bounty or VDPs. (3) PDP Law No. 27/2022 introduces a modern personal-data framework; mishandling personal data—even during research—can create separate liabilities. Practically: don’t access data you’re not authorized to view, don’t exfiltrate real personal data, and prefer impact proofs that minimize data exposure.
Responsible disclosure vs. bug bounty (what’s the difference?)
A vulnerability disclosure policy (VDP) tells the public how to report vulnerabilities safely; it may or may not pay rewards. A bug bounty is a VDP plus a reward framework. Many reputable organizations adopt VDPs first and later add bounties. Internationally, templates and guidance exist to help organizations craft clear, safe-harbor policies (for example, policies used by public agencies and global tech companies). In Indonesia you’ll increasingly see firms publishing VDPs or bounty pages—some pay, some don’t—but the common ground is permission, scope, and a private reporting channel. If there’s no explicit policy, assume testing is not authorized.
Known boundaries and red lines (what not to do)
Never test off-scope assets or ignore “prohibited activities” (like DDoS, social engineering, or privacy-intrusive attacks) listed in the rules. Do not demand payment as a condition for non-disclosure—extortion is illegal anywhere. Do not scrape, store, or share personal data; the PDP Law adds serious duties around personal data handling. Don’t publicly disclose before the organization fixes and approves disclosure. And absolutely do not keep shells, backdoors, or persistent access after demonstrating impact. These lines are not just etiquette—they’re the difference between a lawful report and a criminal investigation.
Indonesia landscape: who’s doing what?
On the government side, BSSN leads national cyber strategy and capacity-building and collaborates with the CSIRT ecosystem; historic community actors like ID-CERT/Id-SIRTII/CC have helped coordinate incident response and awareness. On the private side, more Indonesian companies are adopting VDPs and, in some cases, bug bounty programs, often emphasizing coordinated disclosure and prohibitions against data misuse. This shows growing acceptance of good-faith research—provided it follows published rules.
Practical “How-To” for hunting legally in Indonesia
1) Hunt only where you have written permission (a live bounty/VDP page or a signed authorization). 2) Read the scope three times; create throwaway test accounts if allowed. 3) Use a lab mindset: proxy your traffic, keep clean notes, and avoid touching production user data. 4) Report privately via the specified channel, with a minimal, reversible proof of impact (no mass extraction, no production disruption). 5) Respect timelines, communication norms, and data-handling rules under PDP Law. 6) Keep your testing logs—if questions arise, your notes show good faith. 7) Treat rewards as a bonus, not a right; some programs say “thanks” but pay nothing.
For companies in Indonesia: safe ways to start
If you run an Indonesian business and want help from the researcher community, start with a VDP: define in-scope systems, submission method, response targets, safe-harbor language, and disallowed activities. You can adapt public templates and international best practices, and align with local obligations in PP 71 and the PDP Law. Consider partnering with a CERT or a vetted platform, and pilot with a small, low-risk scope before expanding. Only after your triage and remediation workflows are mature should you explore paid bounties. Done right, you cut risk, earn goodwill, and comply with local rules.
Tax and money matters
When programs do pay, treat bounties like income. Keep records, invoices (if requested), and local tax filings tidy. International guidance commonly treats bounty rewards as taxable income, and while your exact obligations depend on personal circumstances, the safe assumption is to declare it. When in doubt, consult a qualified local tax professional—especially if you get paid in foreign currency or via platforms.
Risk management for researchers
Reduce your risk by staying strictly in scope, choosing targets with explicit policies, and using test data. Prefer techniques that prove impact without demanding sensitive data (e.g., confirming IDOR with your own record rather than another user’s). Avoid automated blasting; rate-limit your tests; and never degrade service availability. Keep a “kill switch” in your tooling to stop if something behaves unexpectedly. And remember that the biggest legal lever is authorization—no permission, no testing.
Common mistakes that get people in trouble
Top pitfalls include: testing first and reading rules later, exploiting beyond proof-of-concept, collecting or sharing real personal data, escalating privileges on production accounts, publicly shaming a company before it can fix, and assuming “everyone does it” is a defense. Another common trap is wandering into third-party services (payments, CDNs, auth providers) that are explicitly out of scope—even if reachable from the main app. Treat out-of-scope like a “do not enter” sign.
Coordinated disclosure basics (for both sides)
Good programs acknowledge submissions quickly, keep researchers updated, and publish fixes with credit where possible. Good researchers keep reports private, articulate risk in business terms, and provide clear reproduction steps. Many policies adopt a standard disclosure window (for example, 90 days) but allow flexibility for complex fixes. If your program anticipates public write-ups, provide guidance to help researchers publish safely after remediation.
Tooling and lab hygiene
Use a proxy/interceptor, a browser with separate profiles, and an isolated VPN. Keep a “test-only” email and phone number for OTP flows. Prefer self-hosted note-taking with timestamps. Script repeatable checks (for example, auth/IDOR/CSRF baselines) but keep your rate low. Practice on dedicated labs and CTFs to stay sharp without legal exposure. A disciplined lab is part of your legal defense: it shows intent, care, and reversibility.
Writing a high-signal report
Lead with the business risk (“Unauthenticated users can read invoice PDFs with PII”), then provide numbered reproduction steps, screenshots or short videos, minimal payloads, impact analysis, affected endpoints, and a crisp remediation suggestion (e.g., “enforce object-level authorization on /api/invoice/:id and return 404 when not owned”). Tag severity with the program’s rubric and include logs or curl snippets. Clarity gets triaged faster—and usually rewarded better.
Where to learn policies and examples
Study public VDPs and disclosures by major organizations and agencies, and look at the language they use around safe harbor, scope, timing, and prohibited actions. This will help you understand how mature programs set expectations and how your own reports should be framed to match. Indonesia’s ecosystem is evolving, but you can still draw from international templates and adapt to local legal context.
Why Indonesia benefits from VDPs and bounties
For organizations, VDPs and bounties extend your security team with thousands of motivated eyes, helping you find what scanners miss and reducing breach risk. For researchers, they provide legal clarity, recognition, and sometimes income. For the country, they nurture skills, accelerate fix cycles, and build a culture of responsible security—goals echoed in national cyber-strategy efforts. Done right, everyone wins: users are safer, companies are more resilient, and researchers get to practice ethical hacking with clear rules.
Conclusion
Bug bounty in Indonesia is legal when it’s authorized, scoped, and handled through responsible disclosure; it’s illegal when it strays into unauthorized access or data misuse. The law (UU ITE), sector rules (PP 71/2019), and the PDP Law form the backdrop you should respect. For researchers: hunt only where you’re invited, minimize data exposure, and report privately with professionalism. For companies: start with a solid VDP tailored to Indonesian obligations, then consider bounties once your processes are mature. The practical path is simple: permission first, scope always, disclosure coordinated. Follow that, and you’ll stay on the right side of both security and the law.
FAQs
1) Can I test any Indonesian website if I promise to report the bug?
No. Without explicit authorization, testing can violate UU ITE. Only test where a VDP/bug bounty or written permission exists.
2) If a company has a VDP but says “no rewards,” is hunting still legal?
Yes—if you follow its rules and scope. A VDP defines permission; a bounty simply adds rewards.
3) Can I include real customer data in my proof of concept?
Avoid it. Indonesia’s PDP Law governs personal data; demonstrate impact using your own records or redacted samples.
4) Are bug bounty rewards taxable?
Generally, yes—treat them as income and keep records for your tax filings.
5) Where can a company find a good starting template for a VDP?
Look at established public VDP templates and adapt them to Indonesia’s context and your systems.