5 October 2017
Article in Internet Law Magazine. Cyber attacks are regularly in the news. Time and again IT systems appear to be vulnerable to hackers. Increasingly, organizations are requesting hackers to detect vulnerabilities. Hacken is thus in fact a service and hackers IT service providers. If a contract is based on this service, these services are often referred to as ‘penetration tests’ or ‘pentests’. Hacking on request differs from regular IT services. For example, unlike many other IT services, a wrongly executed hack can quickly conflict with criminal law, copyright or privacy law, or infringe the rights of third parties. Another difference with regular IT services is that in case of hacking on request, there is not always a contract as the basis. There are institutions that call hackers to perform a hack and declare their willingness to reward the hacker for this if certain conditions are met. Guidelines have been developed from different angles to determine whether a hack is legally acceptable and is in line with market standards. In this article we explore these criteria and we formulate points of attention that should be taken into account when hacking on request. Because not much has been written about hacking on request and hacking has many aspects, this article has the approach of a tour d’horizon. However, the many aspects are worth a closer look. The unsolicited hack, which has already been written about, is not the subject of this article and is only dealt with indirectly.