Portugal Exempts Security Researchers From Cybercrime Law
▼ Summary
– Portugal has amended its cybercrime law to create a legal safe harbor for good-faith security research that identifies vulnerabilities to improve cybersecurity.
– To qualify for exemption, researchers must act without seeking extra economic benefit, avoid service disruption or data harm, and cannot use prohibited techniques like DoS attacks.
– Researchers must immediately report any found vulnerabilities to the system owner and the national cybersecurity authority (CNCS) and delete any obtained data within 10 days of a fix.
– Similar legal protections for security researchers have recently been introduced in other jurisdictions, including Germany and the United States.
– These legal frameworks aim to protect proactive security testing and responsible vulnerability disclosure from criminal prosecution.
Portugal has introduced a significant update to its national cybercrime legislation, creating a formal legal exemption for security researchers acting in good faith. This change establishes a clear safe harbor, ensuring that activities aimed at uncovering and responsibly disclosing software vulnerabilities are not treated as criminal acts under specific, stringent conditions. The move is designed to encourage proactive cybersecurity defense by protecting ethical hackers from prosecution.
The new provision, identified as Article 8.o-A, is formally titled “Acts not punishable due to public interest in cybersecurity.” It carves out an exception for actions that would traditionally be classified as illegal system access or data interception. The core intent is to shield researchers whose work is dedicated to identifying weaknesses and strengthening overall digital security.
To qualify for this protection, researchers must adhere to a strict set of rules. The investigation must focus exclusively on finding pre-existing vulnerabilities with the goal of improving cybersecurity through disclosure. Researchers cannot seek or receive any economic benefit beyond their standard professional compensation for this work. Any discovered flaw must be reported immediately to the system owner, the relevant data controller, and Portugal’s National Cybersecurity Center (CNCS).
The scope of permitted activity is narrowly defined. Actions must be strictly limited to what is necessary to detect the vulnerability. Researchers are expressly forbidden from disrupting services, altering or deleting data, or causing any harm. The law also prohibits any unlawful processing of personal data under GDPR regulations.
Certain techniques are completely off-limits and will void the exemption. Prohibited methods include denial-of-service (DoS) attacks, social engineering, phishing, password theft, intentional data alteration, system damage, or the deployment of malware. Furthermore, any data obtained during the research must be kept confidential and permanently deleted within ten days of the vulnerability being patched. The law also notes that activities performed with the explicit consent of the system owner are exempt, though any findings must still be reported to the CNCS.
This legal framework provides much-needed clarity, defining the boundaries of acceptable security research while offering robust protection for ethical hackers. Portugal’s approach aligns with a growing international trend. For instance, in November 2024, Germany’s Federal Ministry of Justice proposed a draft law with similar protections for researchers who responsibly report flaws.
Earlier, in May 2022, the U.S. Department of Justice revised its prosecution policy regarding the Computer Fraud and Abuse Act (CFAA), introducing an exemption for good-faith security testing. Together, these evolving legal standards recognize the vital public service performed by security researchers. They create a safer environment for experts to probe systems, uncover critical vulnerabilities, and report them to vendors without the looming threat of legal retaliation.
(Source: Bleeping Computer)
