Secu­ri­ty vul­nerabi­li­ties: com­pa­nies should rely on bug boun­ty pro­grams rather than cri­mi­nal complaints

The­re was a gre­at deal of outra­ge on social media when IT secu­ri­ty expert Lilith Witt­mann announ­ced (only in Ger­man) on Twit­ter on 3 August  that the Ber­lin Sta­te Poli­ce had named her as a suspect in an inves­ti­ga­ti­on rela­ting to secu­ri­ty flaws in the Chris­ti­an Demo­cra­tic Uni­on’s “CDU con­nect” app. The IT secu­ri­ty expert and Cha­os Com­pu­ter Club (CCC) acti­vist had pre­vious­ly noti­fied the par­ty in a “respon­si­ble dis­clo­sure” that their app con­tai­ned signi­fi­cant secu­ri­ty vul­nerabi­li­ties, which made it pos­si­ble for hackers to access the per­so­nal data of over 18,000 cam­paign workers (only in Ger­man). The fact that the IT secu­ri­ty expert nevert­hel­ess recei­ved an e‑mail from the Ber­lin Sta­te Poli­ce is evi­dent­ly attri­bu­ta­ble to a com­plaint from the CDU, which the par­ty now claims to have “with­drawn.” (only in Ger­man) As a result, the CCC has announ­ced (only in Ger­man) that it will no lon­ger report secu­ri­ty vul­nerabi­li­ties to the CDU in the future. The apps them­sel­ves were taken off­line tem­po­r­a­ri­ly, but are now available once again for use in the par­ty­’s campaigning. 

We have recei­ved many ques­ti­ons con­cer­ning this inves­ti­ga­ti­on, which we will ans­wer below.

1.    What is “respon­si­ble disclosure”?

The term “respon­si­ble dis­clo­sure” (only in Ger­man) descri­bes a pro­cess for expo­sing weak points. A uni­que fea­ture of this pro­cess is that the weak points are not made public until after they are eli­mi­na­ted by the manu­fac­tu­rer. The manu­fac­tu­rer is typi­cal­ly given a cer­tain amount of time to do so.

2.    Why did the CDU file a cri­mi­nal complaint/request for prosecution?

It is not yet clear whe­ther the CDU filed a cri­mi­nal com­plaint or a request for pro­se­cu­ti­on. A cri­mi­nal com­plaint reports an inci­dent to a law enforce­ment agen­cy (e.g. the pro­se­cu­tor’s office or the poli­ce), while a request for pro­se­cu­ti­on can only be made the vic­tim of a crime and is only requi­red in cer­tain cases. In our expe­ri­ence, a request for pro­se­cu­ti­on is typi­cal­ly filed along with a cri­mi­nal com­plaint in cases invol­ving all of the offen­ses which may come into con­side­ra­ti­on here. This may explain the con­fu­si­on in the use of the­se terms.

3.    With­dra­wing a cri­mi­nal com­plaint or request or pro­se­cu­ti­on: can that be done?

The CDU has sin­ce announ­ced on Twit­ter (only in Ger­man) that it has with­drawn its cri­mi­nal com­plaint against the IT secu­ri­ty expert . But from a legal stand­point, it should be noted that, unli­ke a request for pro­se­cu­ti­on, a cri­mi­nal com­plaint can­not be with­drawn. Accor­din­gly, “with­dra­wal” of the cri­mi­nal com­plaint would have no impact on the inves­ti­ga­ti­on. On the other hand, if a request for pro­se­cu­ti­on is with­drawn, the inves­ti­ga­ti­on is only con­tin­ued in case of a “rela­ti­ve com­plaint offen­se” (i.e. offen­ses whe­re the need for a com­plaint is not abso­lu­te), if the pro­se­cu­tor’s office belie­ves that action is requi­red due to the par­ti­cu­lar public inte­rest in pro­se­cu­ting the offen­se. In the pre­sent case, an inves­ti­ga­ti­on may be based on § 202a of the Cri­mi­nal Code or § 42 of the Fede­ral Data Pro­tec­tion Act (only in Ger­man). But sin­ce § 202a of the Cri­mi­nal Code is a rela­ti­ve com­plaint offen­se in accordance with § 205(1) Sen­tence 2 of the Cri­mi­nal Code (only in Ger­man), the inves­ti­ga­ti­on may be con­tin­ued despi­te the CDU’s with­dra­wal of its request for pro­se­cu­ti­on if the­re is a par­ti­cu­lar public inte­rest, which is not enti­re­ly out of the ques­ti­on in light of the ongo­ing elec­tion cam­paign and the importance of the CDU as a major poli­ti­cal party.

4.    What con­se­quen­ces will the secu­ri­ty vul­nerabi­li­ties have for the CDU?

If the­se vul­nerabi­li­ties are asso­cia­ted with a per­so­nal data breach and if a risk to the rights and free­doms of natu­ral per­sons can­not be ruled out, the con­trol­ler is requi­red to noti­fy the com­pe­tent aut­ho­ri­ty wit­hout undue delay, if pos­si­ble within 72 hours of when it beco­mes awa­re of the breach, pur­su­ant to Artic­le 33(1) of the GDPR. But whe­ther such a risk ari­ses in a case whe­re secu­ri­ty vul­nerabi­li­ties are dis­co­ver­ed by IT secu­ri­ty experts in a respon­si­ble dis­clo­sure is a mat­ter of dis­pu­te. A wide varie­ty of addi­tio­nal legal con­se­quen­ces could result in the event of a cyberattack .

5.    What can com­pa­nies do better?

Accor­ding to a recent stu­dy by the digi­tal asso­cia­ti­on Bit­kom (only in Ger­man), Ger­man com­pa­nies sus­tain more than EUR 220 bil­li­on in los­ses every year from cyber­se­cu­ri­ty inci­dents, inclu­ding cases of extor­ti­on (e.g. using ran­som­wa­re). Given the lar­ge num­ber of pos­si­ble attacks, and in order to avo­id drawn-out cri­mi­nal pro­cee­dings and the asso­cia­ted cos­ts, com­pa­nies should con­sider alter­na­ti­ve pre­cau­ti­ons such as e.g. set­ting up cont­act addres­ses for IT secu­ri­ty rese­ar­chers, as well as bug boun­ty pro­grams, in which finan­cial rewards are paid out to IT secu­ri­ty experts who dis­co­ver and report secu­ri­ty vul­nerabi­li­ties as part of a respon­si­ble dis­clo­sure. In any case, in the event that secu­ri­ty vul­nerabi­li­ties are repor­ted by way of respon­si­ble dis­clo­sure, we urgen­tly advi­se com­pa­nies not to seek pro­se­cu­ti­on of the infor­mant by fil­ing a cri­mi­nal com­plaint or request for prosecution.

6.    What legal opti­ons do IT secu­ri­ty experts have to pro­tect themselves?

As of now, Ger­man cri­mi­nal law affords ina­de­qua­te pro­tec­tion for well-meaning IT secu­ri­ty experts who report vul­nerabi­li­ties to the affec­ted par­ties rather than mali­cious­ly exploi­ting them or sel­ling them on the dark web. This is par­ti­cu­lar­ly true for § 202a of the Cri­mi­nal Code and the sub­se­quent Sec­tions (only in Ger­man). It is the­r­e­fo­re past time for a chan­ge in Ger­many’s cyber­crime laws so as to gua­ran­tee immu­ni­ty from pro­se­cu­ti­on for IT secu­ri­ty experts who report secu­ri­ty vul­nerabi­li­ties by way of respon­si­ble dis­clo­sure. IT secu­ri­ty experts can also turn to the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) (only in Ger­man) for assis­tance when making cont­act so as to avo­id dra­wing sus­pi­ci­on from com­pa­nies and law enforce­ment agen­ci­es. BSI pro­vi­des a report­ing form (only in Ger­man) for this pur­po­se and pro­mi­ses that the infor­ma­ti­on will be hand­led con­fi­den­ti­al­ly. But given that BSI is a govern­ment agen­cy and not an inde­pen­dent body, its pro­mi­se of con­fi­den­tia­li­ty may be bro­ken in case of doubt. We the­r­e­fo­re recom­mend arran­ging for respon­si­ble dis­clo­sure through an att­or­ney, par­ti­cu­lar­ly for com­pa­nies and rese­arch insti­tu­ti­ons which rou­ti­ne­ly report secu­ri­ty vul­nerabi­li­ties, sin­ce att­or­neys are bound by attorney-client pri­vi­le­ge not to dis­c­lo­se con­fi­den­ti­al information.

The Digi­tal Busi­ness Unit of reusch­law Legal Con­sul­tants would be glad to help you mana­ge IT secu­ri­ty inci­dents, as well as advi­sing you in all ques­ti­ons rela­ting to respon­si­ble dis­clo­sures and bug boun­ty pro­grams. You can cont­act them at any time.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.