Bug bounty hunters should check bug bounty legal terms to ensure they are operating with explicit legal permission. The DJI bug bounty fiasco last year brought into focus the nightmare scenario that both companies and hackers want to avoid. HackerOne and Bugcrowd are promoting legal safe harbor as best practice. The solution is to include explicit safe harbor in bug bounty, and VDP, legal terms of engagement. The DOJ agrees. Its 2017 framework for a VDP suggests that bug bounties should explicitly state whether or not security testing in technical scope constitutes “authorized” conduct under the CFAA or DMCA.”]
Source: https://www.csoonline.com/article/3295860/bug-bounties-offer-legal-safe-harbor-right-right.html