Cybersecurity

The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors.

When security research is conducted within the specified boundaries, those responsible will be excluded from criminal liability and the risk of prosecution.

“Those who want to close IT security gaps deserve recognition—not a letter from the prosecutor,” stated Federal Minister of Justice Dr. Marco Buschmann.

“With this draft law, we will eliminate the risk of criminal liability for people who take on this important task,” mentions the Minister in the same statement.

Additionally, the proposed amendment to the criminal law introduces stricter penalties for serious cases of data spying and interception, particularly when critical infrastructure is targeted.

Protecting security researchers

The new draft law amends Section 202a of the Criminal Code (StGB) to protect IT security researchers, companies, and so-called “hackers” from punishment under computer criminal law.

This applies when their actions are carried out to detect and close a security vulnerability, as long as they are not considered “unauthorized.”

The criteria to meet for security research are the following:

  1. The action must be carried out with the aim of identifying a vulnerability or another security risk in an IT system.
  2. The researcher must intend to report the identified security vulnerability to a responsible entity capable of addressing the issue, such as the system operator, the software manufacturer, or the Federal Office for Information Security (BSI).
  3. The act of accessing the system must be necessary to identify the vulnerability. This ensures that the exemption only applies to the extent required for security testing, without unnecessary or excessive access.

The same exclusion from criminal liability is also applied to offenses pertaining to data interception (§ 202b StGB) and data modification (§ 303a StGB) as long as the related actions are deemed authorized.

At the same time, the draft fill introduces a penalty ranging from three months to five years of imprisonment for severe cases of malicious data spying and data interception (§ 202a StGB).

In terms of what constitutes a severe case, the draft bill mentions the following cases:

  • The offense results in substantial financial damage.
  • The act was driven by a profit motive, conducted on a commercial scale, or carried out as part of a criminal organization.
  • Cases that compromise critical infrastructure—like hospitals, energy suppliers, or transportation networks—or affect the security of Germany or one of its states, including attacks originating from abroad.

More details about the draft law and proposed amendments are available here.

Federal states and concerned associations have received it for review and are given until December 13, 2024, to submit their feedback before it is presented to the Bundestag for parliamentary deliberation.

The U.S. Department of Justice announced a similar revision to the Computer Fraud and Abuse Act (CFAA) in May 2022, introducing prosecution exclusions for “good-faith” security researchers.