The Legal Aspects of Cybersecurity Vulnerability Disclosure: To the NIS 2 and Beyond

Investor logo

Warning

This publication doesn't include Faculty of Economics and Administration. It includes Faculty of Law. Official publication website can be found on muni.cz.
Authors

VOSTOUPAL Jakub STUPKA Václav HARAŠTA Jakub KASL František LOUTOCKÝ Pavel MALINKA Kamil

Year of publication 2024
Type Article in Periodical
Magazine / Source Computer Law & Security Review
MU Faculty or unit

Faculty of Law

Citation
Web Odkaz na publikovaný text výsledku
Doi http://dx.doi.org/10.1016/j.clsr.2024.105988
Keywords Bug bounty; Liability; Vulnerability disclosure; Ethical hacking; Penetration testing; Criminal law
Description This paper focuses on the legal aspects of responsible vulnerability disclosure, bug bounty programs and legal risks associated with their implementation in the Czech Republic. Firstly, the authors introduce the basics of vulnerability disclosure procedures, identify different organisational models, and identify risks that may arise on the part of the organisation launching the bug bounty program or the hackers participating in it. The identified risks are divided into those arising from civil law, administrative law, and criminal law. For each identified risk, the authors then propose appropriate technical, organisation or legal solutions that can be applied to eliminate or reduce these risks. Nevertheless, the authors identified two areas that cannot be sufficiently mitigated through existing tools and laws and are likely to require legislative intervention – the matter of safeguarding the anonymity of reporters through confidentiality and the problematic ability to consent to the testing procedures by the public bodies.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.