Germany drafts law to protect researchers who find security flaws

Germany drafts law to protect researchers who find security flaws

November 6, 2024 at 10:19AM

Germany’s Federal Ministry of Justice has proposed a law to protect security researchers from criminal liability when reporting vulnerabilities. The draft amends the Criminal Code, offering legal safety in defined circumstances and imposing stricter penalties for serious data crimes. Feedback is due by December 13, 2024, before parliamentary consideration.

### Meeting Notes Takeaways:

1. **Draft Law Overview**: The Federal Ministry of Justice in Germany has proposed a law aimed at protecting security researchers who discover and responsibly report security vulnerabilities.

2. **Legal Protections**:
– Security researchers acting within certain boundaries will be exempt from criminal liability and prosecution.
– Minister of Justice Dr. Marco Buschmann emphasized the need for recognition, stating, “Those who want to close IT security gaps deserve recognition—not a letter from the prosecutor.”

3. **Amendment Details**:
– The law amends Section 202a of the Criminal Code (StGB) to ensure that IT security researchers and others are not punished under computercriminal law when acting to detect and close vulnerabilities.
– The criteria for protection include:
– Intention to identify vulnerabilities in IT systems.
– Plans to report findings to responsible entities (e.g., system operators, software manufacturers, or BSI).
– Necessary system access exclusively for identifying vulnerabilities.

4. **Broader Criminal Liability Exemptions**:
– The same protections apply to offenses under data interception (§ 202b StGB) and data modification (§ 303a StGB) if actions are authorized.

5. **Stricter Penalties for Data Crimes**:
– The draft proposes harsher penalties (3 months to 5 years imprisonment) for severe cases of data spying and interception, particularly in situations involving:
– Significant financial damage.
– Profit-driven motives, commercial scale, or organized crime.
– Compromise of critical infrastructure (e.g., health, energy, transportation) or national security.

6. **Feedback Process**:
– The draft law has been shared with federal states and relevant associations for review, with a feedback deadline of December 13, 2024, before parliamentary deliberation in the Bundestag.

7. **International Context**:
– The U.S. Department of Justice is considering similar protections for “good-faith” security researchers under the Computer Fraud and Abuse Act (CFAA) as of May 2022.

For further details about the draft law and proposed amendments, additional resources are available.

Full Article