Germany will protect security researchers who find flaws

The German Ministry of Justice has proposed a new law that protects security researchers who responsibly identify and report vulnerabilities in IT systems. With this legislation, the objective is to exempt these professionals from criminal punishments, as long as they comply with certain criteria. The Minister of Justice, Marco Buschmann, highlighted that the intention is to value the work of these experts, avoiding unfair processes and recognizing their importance for digital security.

The proposal modify the German Criminal Code to ensure that so-called “ethical hackers” are protected when their actions are aimed at identifying security breaches and reporting them to responsible authorities or companies. Among the conditions, the project establishes that access to the system must be necessary to detect the vulnerability and that the report is directed to those who can resolve the problem, such as the system operator or the Federal Information Security Agency (BSI).

The law also toughens penalties for cyber espionage, especially in serious cases that affect critical infrastructure, such as hospitals, energy and transport companies, or that put national security at risk. These situations may result in sentences ranging from three months to five years in prison.

The cases considered most serious include those with significant financial motivation, on a commercial scale, or when part of the actions of criminal organizations. The proposal also considers targeted attacks on essential sectors and situations that involve threats to German public security, including actions that come from abroad.

The project was submitted to regional authorities and interested entities, who will have until December to send feedback before the Bundestag evaluates it. This initiative follows an international trend, as in 2022 the US Department of Justice announced revisions to the Computer Fraud and Abuse Act to protect “bona fide” security researchers.