Article Details
Scrape Timestamp (UTC): 2024-11-06 15:19:36.614
Original Article Text
Click to Toggle View
Germany drafts law to protect researchers who find security flaws. The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors. When security research is conducted within the specified boundaries, those responsible will be excluded from criminal liability and the risk of prosecution. "Those who want to close IT security gaps deserve recognition—not a letter from the prosecutor," stated Federal Minister of Justice Dr. Marco Buschmann. "With this draft law, we will eliminate the risk of criminal liability for people who take on this important task," mentions the Minister in the same statement. Additionally, the proposed amendment to the criminal law introduces stricter penalties for serious cases of data spying and interception, particularly when critical infrastructure is targeted. Protecting security researchers The new draft law amends Section 202a of the Criminal Code (StGB) to protect IT security researchers, companies, and so-called "hackers" from punishment under computer criminal law. This applies when their actions are carried out to detect and close a security vulnerability, as long as they are not considered "unauthorized." The criteria to meet for security research are the following: The same exclusion from criminal liability is also applied to offenses pertaining to data interception (§ 202b StGB) and data modification (§ 303a StGB) as long as the related actions are deemed authorized. At the same time, the draft fill introduces a penalty ranging from three months to five years of imprisonment for severe cases of malicious data spying and data interception (§ 202a StGB). In terms of what constitutes a severe case, the draft bill mentions the following cases: More details about the draft law and proposed amendments are available here. Federal states and concerned associations have received it for review and are given until December 13, 2024, to submit their feedback before it is presented to the Bundestag for parliamentary deliberation. The U.S. Department of Justice announced a similar revision to the Computer Fraud and Abuse Act (CFAA) in May 2022, introducing prosecution exclusions for "good-faith" security researchers.
Daily Brief Summary
Germany's Federal Ministry of Justice has drafted a law to legally protect security researchers who identify and report vulnerabilities responsibly.
The draft law aims to exempt security researchers from criminal liability when they operate within legal guidelines to improve IT security.
The new legislation, amending Section 202a of the Criminal Code, will protect not only researchers but also companies engaged in legitimate security testing.
The amendment also includes more severe penalties for criminal activities such as data spying and interception, especially targeting critical infrastructure.
Under the proposed law, actions performed for detecting and addressing security vulnerabilities will not be considered "unauthorized".
The amendment is currently under review by federal states and associations, with a deadline for feedback set before it proceeds to parliamentary discussion.
This move aligns with international trends, similar to the U.S. Department of Justice's amendments to the Computer Fraud and Abuse Act in 2022, promoting safe and authorized security research.