The discovery, responsible disclosure, and prompt remediation of cybersecurity vulnerabilities is a vital part of ensuring that the digital economy, and the information society around it, stays safe and resilient.
CyAN’s mission includes support for legal measures and good practices to this end; we endorse the creation of laws and national policies that protect responsible cybersecurity researchers, while ensuring that bad actors are not able to unduly exploit discovered vulnerabilities before fixes can be created and deployed within a reasonable timeframe.
Unfortunately, despite many countries appreciating the need for legal protection of good faith vulnerability researchers, legislation in many other states still lags and bears the possibility of prosecution or other abuse. Cybersecurity experts are thus disincentivized from reporting their findings, and may even face financial or criminal jeopardy. As a result, everyone suffers.
§ 202c of the German Federal Republic’s criminal code (Strafgesetzbuch), commonly known as “hacker paragraph” (Hackerparagraph in German), is typical of a law that, although passed with good intentions in order to combat rising computer criminality, entails significant ambiguity about protections for researchers. This diminishes the likelihood of responsible vulnerability disclosure, reduces options for remediation, and thus hurts industry, academics, society, and citizens alike. A draft law was introduced by the then-coalition government in November 2024, but was not finalized.
CyAN supports the open letter addressed to the incoming German government, requesting legal clarity and protections for responsible cybersecurity vulnerability researchers acting in good faith; originators and signatories include multiple CyAN members. We strongly encourage our members, stakeholders, and friends to read the letter, and to sign it if possible; legally protected responsible disclosure benefits everyone but the bad guys.
Open letter (German language): https://cysec-reform.jetzt