This white paper describes and analyzes the legal status quo in Germany for the field of IT security research concerning the relevant criminal provisions, copyright protection, data privacy law, the protection of trade secrets and whistleblowing plus contractual and civil liability. It outlines the legal risks for the researchers especially if a vulnerability in an IT product is found. The joint work of authors with a legal and technical background from different German research facilities also includes chapters on the technical side, history and comparative legal aspect. The core paragraphs of the paper deal with the handling of vulnerabilities found by researchers in hard- or software and the coordinated disclosure process to eliminate faults in code or find a mitigation. The final chapter explains the need to set a framework for vulnerability disclosure to guarantee a legally safe environment for IT security research as an important factor to secure an ever growing digital environment. The derived principles and demands are:
Independent IT-Security research is an essential factor for a safe digitalization process: Products in the fields of Information and communication technology are, despite the utmost diligence, rarely free of security flaws. If these are not discovered before the product launch, the risks for users and operators, who may be private individuals, public authorities or companies, for example, can be critical. Therefore, it becomes more and more important to find and to eliminate such flaws rapidly. Societies have a great interest in a strong IT security research provided by neutral parties that point out vulnerabilities timely and offer advice to eliminate or mitigate before damaging abuse occurs.
The danger of security flaw exploitation is reduced by the Coordinated Vulnerability Disclosure (CVD) Process. Following the CVD, information about the vulnerability is reported by the finder or a mediator to the user, operator and/or producer of the flaw-stricken system. At best this is the one who has access to the sourcecode and is able to eliminate the flaw or mitigate it. Ideally, with a solution at hand or already implemented, a warning to the public is published so that those at risk can take the necessary measures to avoid damages. Such a notification would ideally take place only after the development and provision of a fix or alternative solution within a finder-granted appropriate timeframe. Currently the awareness for the necessity to implement and support the CVD process is still too low amongst manufacturers. This white paper describes the typical conflicts and outlines legal and procedural solutions.
Currently, IT security researchers in Germany risk criminal prosecution and civil liability, even if they follow the CVD process. In many cases, reverse engineering is necessary to perform IT-security research which potentially conflicts with EU copyright law. Using reverse engineering methods, the function and construction of an unknown system or product is systematically examined for vulnerabilities stemming from coding errors or unwanted functionalities. Especially copyright law prohibits some forms of reverse engineering if they are performed without approval by the creator. Because IT systems often consist of components from different manufacturers from all over the world, gaining all required approvals is almost impossible. Existing permissions by copyright law are insufficient to allow in-depth IT security research.
As a baseline method, IT security researchers need to analyze and act like an attacker to be able to find vulnerabilities, build new security mechanisms and prevention tools or evaluate existing ones. Researchers, therefore, need to be able to use methods and hard-/software similar to those in action by cybercriminals. But the current German IT-specific criminal law is too broad and does not differentiate sufficiently with regards to the intentions of the potential offender.
Where personal data is processed in IT security research, a legal basis is required, with the GDPR providing some privileges for research. There is a certain conflict of aims of the data privacy law’s responsibilities for data integrity and confidentiality and the copyright and criminal law.
Suppose everyone involved aims to eliminate the weak spots for operators and users of vulnerable hard- and software, the risk of product liability on the producers’ side would be reduced, too. But some manufacturers try to minimize the rights of users to test and search for vulnerabilities via their general terms and condition and thus intensify the law uncertainty. Although for many of these clauses it is highly questionable if they are legitimate under German and European law researchers must fear to be admonished and/or threatened with compensation claims.
The transposition of directive (EU) 2016/943 into German law (with the GeschGehG) inserted a very limited permission to reverse engineer trade secrets but causes conflicts with the copyright law. What remains is an extensive legal uncertainty, which causes chilling effects with institutions shying away from research projects. This is since the academic world is obligated to remain scientifically honest and projects are not permissible if they inevitably lead to legal violations.
As conclusion, the current legal framework in Germany should be adjusted so that researchers are not put off from screenings for vulnerabilities and their notifications to producers, operators and vendors. An important improvement would be permission norms for IT security examinations and tests in the fields of copyright and criminal law. This would also reduce the risk of contractual and general liability. In addition, implementing a culture of failure and communication at eye level between researchers and the receivers of vulnerability notifications would bring to attention that the last mentioned receive valuable information free of charge and should be grateful instead of threatening the notifier with legal consequences.
The concealment of vulnerabilities does not lead to an increase in the security of products and systems. Yet, only a fix in code and publication of findings allows to learn from errors and is technically and economically sustainable. To achieve this the party who is able and willing to provide a technical solution shall be granted an adequate time period to fulfil this task. The notifying researcher on the other hand should be awarded at least with respect and no interference in the academic publication. Practice shows that cooperation leads to the revelation and correction of numerous flaws and yields a valuable contribution to the measurable improvement of IT security. Thus, the authors emphasize the importance of cooperation between all parties involved, which could be incorporated via a central independent vulnerability notification and coordination authority.