Abstract
Whenever security researchers find an exploitable vulnerability in software, they face several options: Common examples are contacting the author, maintainer or vendor of the software in private (limited disclosure), publishing information on the vulnerability – possibly with a proof-of-concept of how to exploit it – (full disclosure), a combination of both (responsible disclosure), or even selling information on the vulnerability to third parties. In this article, I will discuss the legal obligations and the legal limitations to the various, typical options available to IT security researchers, with a specific focus on how they may comply with German and European criminal law.
About the author

Dominik Brodowski is a senior researcher at the University of Frankfurt (Main) and a lecturer (Lehrbeauftragter) at Albstadt-Sigmaringen University in a master's course on digital forensics. As a graduate of the University of Tübingen and University of Pennsylvania Law School, his professional activities focus on European criminal law, criminal procedure and its interaction with the realities of technology.
Chair for Criminal Law et al. (Prof. Burchard), HPF EXC 15, 60629 Frankfurt am Main, Germany, Tel.: +49-69-798-31476
©2015 Walter de Gruyter Berlin/Boston