Change language
English Deutsch
Change currency
€ EUR £ GBP $ USD
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg December 1, 2015

(Ir-)responsible disclosure of software vulnerabilities and the risk of criminal liability

  • Dominik Brodowski

    Dominik Brodowski is a senior researcher at the University of Frankfurt (Main) and a lecturer (Lehrbeauftragter) at Albstadt-Sigmaringen University in a master's course on digital forensics. As a graduate of the University of Tübingen and University of Pennsylvania Law School, his professional activities focus on European criminal law, criminal procedure and its interaction with the realities of technology.

    Chair for Criminal Law et al. (Prof. Burchard), HPF EXC 15, 60629 Frankfurt am Main, Germany, Tel.: +49-69-798-31476

     EMAIL logo
From the journal it - Information Technology
https://doi.org/10.1515/itit-2015-0014

Abstract

Whenever security researchers find an exploitable vulnerability in software, they face several options: Common examples are contacting the author, maintainer or vendor of the software in private (limited disclosure), publishing information on the vulnerability – possibly with a proof-of-concept of how to exploit it – (full disclosure), a combination of both (responsible disclosure), or even selling information on the vulnerability to third parties. In this article, I will discuss the legal obligations and the legal limitations to the various, typical options available to IT security researchers, with a specific focus on how they may comply with German and European criminal law.

Keywords: Full disclosure; responsible disclosure; handling of software vulnerabilities; liability for software exploitation
ACM CCS: Software and its engineering→Software creation and management; Security and privacy→Software and application security; Legal aspects of computing

About the author

Dominik Brodowski

Dominik Brodowski is a senior researcher at the University of Frankfurt (Main) and a lecturer (Lehrbeauftragter) at Albstadt-Sigmaringen University in a master's course on digital forensics. As a graduate of the University of Tübingen and University of Pennsylvania Law School, his professional activities focus on European criminal law, criminal procedure and its interaction with the realities of technology.

Chair for Criminal Law et al. (Prof. Burchard), HPF EXC 15, 60629 Frankfurt am Main, Germany, Tel.: +49-69-798-31476

Received: 2015-4-1
Accepted: 2015-9-20
Published Online: 2015-12-1
Published in Print: 2015-12-28

©2015 Walter de Gruyter Berlin/Boston

From the journal
it - Information Technology
it - Information Technology
Volume 57 Issue 6
Submit manuscript

Journal and Issue

Articles in the same Issue

Frontmatter
Editorial
From IT forensics to forensic computing
Special Issue
Characteristic evidence, counter evidence and reconstruction problems in forensic computing
Towards automated preprocessing of bulk data in digital forensic investigations using hash functions
(Ir-)responsible disclosure of software vulnerabilities and the risk of criminal liability
Web tracking: Overview and applicability in digital investigations
What is essential data in digital forensic analysis?
Current Research Projects
The PhD program “Fortschrittskolleg Online Participation”
Distinguished Dissertations
Privacy issues in the Domain Name System and techniques for self-defense
Downloaded on 9.6.2023 from https://www.degruyter.com/document/doi/10.1515/itit-2015-0014/html
Scroll to top button