Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg December 1, 2015

(Ir-)responsible disclosure of software vulnerabilities and the risk of criminal liability

Dominik Brodowski


Whenever security researchers find an exploitable vulnerability in software, they face several options: Common examples are contacting the author, maintainer or vendor of the software in private (limited disclosure), publishing information on the vulnerability – possibly with a proof-of-concept of how to exploit it – (full disclosure), a combination of both (responsible disclosure), or even selling information on the vulnerability to third parties. In this article, I will discuss the legal obligations and the legal limitations to the various, typical options available to IT security researchers, with a specific focus on how they may comply with German and European criminal law.

Received: 2015-4-1
Accepted: 2015-9-20
Published Online: 2015-12-1
Published in Print: 2015-12-28

©2015 Walter de Gruyter Berlin/Boston