Good news for “white hat” researchers. Bleeping Computer reports:
Portugal has modified its cybercrime law to establish a legal safe harbor for good-faith security research and to make hacking non-punishable under certain strict conditions.
[…]
The key conditions that must be met to be safe from criminal liability are:
- The research must aim solely at identifying vulnerabilities not created by the researcher and at improving cybersecurity through disclosure.
- The researcher cannot seek or receive any economic benefit beyond normal professional compensation.
- The researcher must immediately report the vulnerability to the system owner, any relevant data controller, and the CNCS.
- The actions must be strictly limited to what is necessary to detect the vulnerability and must not disrupt services, alter or delete data, or cause harm.
- The research must not involve any unlawful processing of personal data under GDPR.
- The researcher must not use prohibited techniques such as DoS or DDoS attacks, social engineering, phishing, password theft, intentional data alteration, system damage, or malware deployment.
- Any data obtained during the research must remain confidential and be deleted within 10 days of the vulnerability being fixed.
- Acts performed with the system owner’s consent are also exempt from punishment, but any vulnerabilities found must still be reported to the CNCS.
Read more at Bleeping Computer.
