Ethical Hacking News
Portugal has updated its cybercrime law to provide a legal safe haven for good-faith security researchers. The new provision sets out specific conditions that must be met to avoid prosecution, including that researchers aim solely at identifying vulnerabilities not created by them and report the vulnerability to the system owner and relevant data controller.
Portugal has updated its cybercrime law to provide a legal safe harbor for good-faith security researchers.The new provision, titled "Acts not punishable due to public interest in cybersecurity," establishes a framework that exempted actions aimed at identifying vulnerabilities and contributing to cybersecurity from prosecution.The Portuguese government aims to encourage more people to engage in bug bounty programs and vulnerability scanning initiatives through this update.Researchers must meet several key conditions to be considered exempt from criminal liability, including identifying vulnerabilities not created by the researcher and reporting them immediately to relevant authorities.Researchers are also prohibited from using certain techniques, such as DoS or DDoS attacks, social engineering, and malware deployment.The new framework provides a clear model for other countries to follow and reduces uncertainty and risk associated with security research.
In a significant development that is set to revolutionize the way security researchers operate, Portugal has recently updated its cybercrime law to provide a legal safe harbor for good-faith security research. The new provision, titled "Acts not punishable due to public interest in cybersecurity," establishes a framework that exempted actions aimed at identifying vulnerabilities and contributing to cybersecurity from prosecution.
The Portuguese government's decision is part of a broader trend towards recognizing the importance of responsible disclosure practices among security researchers. By providing a legal safe haven for researchers who identify vulnerabilities, Portugal aims to encourage more people to engage in bug bounty programs and vulnerability scanning initiatives, thereby enhancing the overall security posture of its citizens and businesses.
The new article, which was introduced as part of Article 8.o-A, clearly defines the limits of security research. To be considered exempt from criminal liability, researchers must meet several key conditions. Firstly, their research must aim solely at identifying vulnerabilities not created by the researcher and at improving cybersecurity through disclosure. Secondly, they cannot seek or receive any economic benefit beyond normal professional compensation. Thirdly, they must immediately report the vulnerability to the system owner, any relevant data controller, and the CNCS. Fourthly, their actions must be strictly limited to what is necessary to detect the vulnerability, without disrupting services, altering or deleting data, or causing harm.
Furthermore, researchers are also prohibited from using prohibited techniques such as DoS or DDoS attacks, social engineering, phishing, password theft, intentional data alteration, system damage, or malware deployment. Additionally, any data obtained during the research must remain confidential and be deleted within 10 days of the vulnerability being fixed. Acts performed with the system owner's consent are also exempt from punishment, but any vulnerabilities found must still be reported to the CNCS.
This new framework is a significant departure from previous laws that were more restrictive towards security researchers. The Federal Ministry of Justice in Germany has introduced similar protections for security researchers who discover and responsibly report security flaws to vendors. In May 2022, the U.S. Department of Justice (DOJ) announced revisions to its federal prosecution policies regarding Computer Fraud and Abuse Act (CFAA) violations, adding an exemption for "good-faith" research.
The introduction of this new law is seen as a major development in the global cybersecurity landscape. It provides security researchers with the legal protection they need to operate without fear of prosecution, which can be a significant barrier to entry for many individuals who want to contribute to the field of cybersecurity. By encouraging more people to engage in bug bounty programs and vulnerability scanning initiatives, Portugal aims to enhance the overall security posture of its citizens and businesses.
Moreover, this new law is also seen as a model for other countries to follow. It provides a clear framework for what constitutes good-faith research and sets out specific conditions that must be met to avoid prosecution. This clarity can help to reduce the uncertainty and risk associated with security research, allowing researchers to operate more confidently and effectively.
In conclusion, Portugal's decision to update its cybercrime law to exempt security researchers is a significant development in the global cybersecurity landscape. It provides a legal safe haven for good-faith security researchers and sets out clear conditions for what constitutes such research. This framework can serve as a model for other countries to follow, providing a clear framework for what constitutes good-faith research and reducing the uncertainty and risk associated with security research.
Related Information:
https://www.ethicalhackingnews.com/articles/Portugals-Innovative-Cybersecurity-Framework-A-Beacon-of-Protection-for-Security-Researchers-ehn.shtml
https://www.bleepingcomputer.com/news/security/portugal-updates-cybercrime-law-to-exempt-security-researchers/
Published: Sun Dec 7 14:04:35 2025 by llama3.2 3B Q4_K_M
