Over the past three decades, the disclosure of software vulnerabilities and data breaches has gained more acceptance worldwide. However, researchers and whistleblowers still face the risk of lawsuits and criminal charges depending on the country they reside in.
In April 2022, Turkish journalist İbrahim Haskoloğlu was arrested in Istanbul after revealing details about a breach of government data in Turkey. Subsequently, the ruling party in Turkey proposed a law to criminalize false reporting of data breaches, with penalties ranging from two to five years in prison. Critics argue that this law could deter the disclosure of genuine data breaches.
Similarly, in Malta, three computer science students and their lecturer at the University of Malta were charged in March after identifying vulnerabilities in the scheduling service FreeHour and notifying the company. Despite FreeHour initially accusing the students of making ransom demands, the company later criticized the lack of clear exemptions for researchers in Malta. The students still face charges related to the incident.
Across the globe, countries like Poland and China have also taken measures against individuals reporting software vulnerabilities. In Poland, a train manufacturer threatened legal action against ethical hackers who circumvented a kill code that disabled trains. Meanwhile, in China, vulnerability researchers risk prison time for not reporting software issues to the government.
Even in the US, where vulnerability disclosure debates have been ongoing for years, companies and government agencies resort to legal actions rather than engaging in civil discourse. For instance, the city government of Columbus, Ohio, filed a lawsuit against whistleblower David L. Ross, accusing him of colluding with ransomware gangs. However, the city later dropped the case.
Amid these challenges, cybersecurity experts emphasize the importance of cautious disclosure of software security issues. Trey Ford from Bugcrowd suggests obtaining permission from targeted organizations before conducting research and disclosing findings to avoid legal repercussions. Ilona Cohen from HackerOne highlights the significance of understanding local laws and collaborating with organizations to minimize potential misinformation.
The incidents involving Haskoloğlu in Turkey, the students in Malta, and the hackers in Poland underscore the need for organizations to engage with researchers rather than silence them. Dustin Childs from Trend Micro raises concerns about the growing trend of penalizing legitimate security research and calls for safe harbors for researchers reporting vulnerabilities.
However, on a global scale, legislation is moving towards stricter cybercrime measures. The UN General Assembly adopted the Convention Against Cybercrime in August 2024, criminalizing unauthorized access to ICT systems. Digital-rights groups fear that such treaties could lead to more laws penalizing legitimate security research.
Overall, the current climate favors businesses over individual researchers, with governments likely to implement tougher regulations. As the cybercrime landscape evolves, researchers and whistleblowers must navigate complex legal frameworks to protect themselves and promote transparency in the cybersecurity ecosystem.