You currently have no access to view or download this content. Please log in with your institutional or personal account if you should have access to this content through either of these.
Showing a limited preview of this publication:
Abstract
Whenever security researchers find an exploitable vulnerability in software, they face several options: Common examples are contacting the author, maintainer or vendor of the software in private (limited disclosure), publishing information on the vulnerability – possibly with a proof-of-concept of how to exploit it – (full disclosure), a combination of both (responsible disclosure), or even selling information on the vulnerability to third parties. In this article, I will discuss the legal obligations and the legal limitations to the various, typical options available to IT security researchers, with a specific focus on how they may comply with German and European criminal law.
Keywords: Full disclosure; responsible disclosure; handling of software vulnerabilities; liability for software exploitation
ACM CCS: Software and its engineering→Software creation and management; Security and privacy→Software and application security; Legal aspects of computing
Received: 2015-4-1
Accepted: 2015-9-20
Published Online: 2015-12-1
Published in Print: 2015-12-28
©2015 Walter de Gruyter Berlin/Boston