November 6, 2024 at 04:36PM
Germany’s draft legislation aims to protect security researchers from criminal liability when reporting cyber vulnerabilities. It amends existing laws to define criteria for legitimate security research and proposes penalties for malicious acts, with the intent to encourage reporting flaws rather than punishing those who identify them.
### Meeting Takeaways:
1. **Legislation Overview**: Germany’s Federal Ministry of Justice is working on a draft law aimed at protecting security researchers who identify and report security flaws.
2. **Elimination of Criminal Liability**: The proposed legislation would remove criminal liability for individuals who warn businesses and the public about cyber vulnerabilities.
3. **Amendment to Existing Law**: The new law seeks to revise current protections for IT security researchers, companies, and ethical hackers from facing punishment.
4. **Criteria for Security Research**:
– The research must focus on identifying a vulnerability or security risk.
– Researchers need to have the intention of reporting discovered vulnerabilities to responsible parties.
– Access to systems should solely be for identifying security issues.
5. **Penalties for Malicious Acts**: Severe cases involving malicious data spying or interception, driven by profit or leading to significant financial damage, may result in penalties of three to five months in prison.
6. **Minister’s Statement**: Marco Buschmann emphasized the value of recognizing individuals working to close IT security gaps rather than penalizing them.