Researchers in IT security who identify and report an IT security vulnerability can be prosecuted for it in Germany. This is made possible by § 202a and § 202c of the German Criminal Code (StGB), which came into force in 2007. By law, the hacking of vulnerabilities is made a punishable offense.
In our current whitepaper White Hat Hacking in Research (only available in German) we describe the central effects of these paragraphs on IT security research in Germany and show why, in our view, a modification of these legal norms not only makes sense, but is urgently needed.
At the same time, as an established research institute in the field of IT security, we take a stand on this discourse in the context of the current political plans of the German government and the associated development trends towards an improved IT security situation in Germany.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.