Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg December 1, 2015

(Ir-)responsible disclosure of software vulnerabilities and the risk of criminal liability

  • Dominik Brodowski

    Dominik Brodowski is a senior researcher at the University of Frankfurt (Main) and a lecturer (Lehrbeauftragter) at Albstadt-Sigmaringen University in a master's course on digital forensics. As a graduate of the University of Tübingen and University of Pennsylvania Law School, his professional activities focus on European criminal law, criminal procedure and its interaction with the realities of technology.

    Chair for Criminal Law et al. (Prof. Burchard), HPF EXC 15, 60629 Frankfurt am Main, Germany, Tel.: +49-69-798-31476

    EMAIL logo

Abstract

Whenever security researchers find an exploitable vulnerability in software, they face several options: Common examples are contacting the author, maintainer or vendor of the software in private (limited disclosure), publishing information on the vulnerability – possibly with a proof-of-concept of how to exploit it – (full disclosure), a combination of both (responsible disclosure), or even selling information on the vulnerability to third parties. In this article, I will discuss the legal obligations and the legal limitations to the various, typical options available to IT security researchers, with a specific focus on how they may comply with German and European criminal law.

About the author

Dominik Brodowski

Dominik Brodowski is a senior researcher at the University of Frankfurt (Main) and a lecturer (Lehrbeauftragter) at Albstadt-Sigmaringen University in a master's course on digital forensics. As a graduate of the University of Tübingen and University of Pennsylvania Law School, his professional activities focus on European criminal law, criminal procedure and its interaction with the realities of technology.

Chair for Criminal Law et al. (Prof. Burchard), HPF EXC 15, 60629 Frankfurt am Main, Germany, Tel.: +49-69-798-31476

Received: 2015-4-1
Accepted: 2015-9-20
Published Online: 2015-12-1
Published in Print: 2015-12-28

©2015 Walter de Gruyter Berlin/Boston

Downloaded on 26.2.2024 from https://www.degruyter.com/document/doi/10.1515/itit-2015-0014/html
Scroll to top button