Abstract
Whenever security researchers find an exploitable vulnerability in software, they face several options: Common examples are contacting the author, maintainer or vendor of the software in private (limited disclosure), publishing information on the vulnerability – possibly with a proof-of-concept of how to exploit it – (full disclosure), a combination of both (responsible disclosure), or even selling information on the vulnerability to third parties. In this article, I will discuss the legal obligations and the legal limitations to the various, typical options available to IT security researchers, with a specific focus on how they may comply with German and European criminal law.
©2015 Walter de Gruyter Berlin/Boston