[ad_1]
The search for vulnerabilities in the system of others is not only allowed, according to the prosecutor in an article on the policy of coordinated disclosure of the vulnerability of responsible disclosure. With such policies, organizations know under what conditions vulnerabilities can be searched in their system and how bug reports are handled. no declaration is made or other legal steps are taken. "If an organization does, the police and the public prosecutor's office will not, in principle, immediately proceed with a criminal investigation, provided you have demonstrably followed the countervailing duty or DR rules of the organization" , according to the parquet floor. The prosecution therefore recommends that researchers record their steps in a log file.
If the criminal prosecution service has indications that a researcher has deliberately or unconsciously violated the policy, an investigation may be initiated. On the basis of this investigation, the public prosecutor may decide to prosecute or not. When organizations do not respond to a report, it does not always mean that nothing happens, continues the prosecution service. If this is not clear, you can contact the National Cybersecurity Center (NCSC).
Source link
