Lightning Talk #137 Ethical Hacking for a Safer Internet

Summary

This discussion focused on the legal challenges surrounding ethical hacking and the need for improved legal frameworks to support cybersecurity efforts. Tim Philipp Schafers from Mint Secure and lawyer Carolin Kothe presented their analysis of how different jurisdictions treat ethical hacking versus malicious hacking activities. They began by defining ethical hacking as systematic testing to uncover security vulnerabilities, distinguishing between authorized penetration testing and unauthorized but well-intentioned security research conducted for societal benefit.

The speakers emphasized the critical importance of external hackers in strengthening cybersecurity, noting that the NIS2 directive recognizes that most security disclosures come from external testers. They highlighted how crowdsourced defense works effectively, as demonstrated by open source software development and corporate bug bounty programs. However, they identified a significant problem: most legal systems fail to differentiate between ethical and malicious hacking, creating uncertainty and potential legal risks for security researchers.

The presentation examined various jurisdictional approaches across Europe, noting that Poland stands out as a rare example with explicit statutory support for ethical hacking when done solely to secure systems. Most other countries equate ethical hacking with criminal activity, though some like the US and France have prosecutorial discretion policies that provide safe harbor for responsible disclosure. The speakers outlined four key elements needed for an ideal legal framework: legal certainty, explicit immunity for ethical hackers, reframing of hacking terminology, and clear differentiation between ethical and malicious activities.

They concluded by calling for harmonized international regulations and greater public awareness to support collaboration between ethical hackers, private companies, and governments in strengthening cybersecurity defenses.

Keypoints

## Major Discussion Points:

– **Definition and Types of Ethical Hacking**: The speakers distinguish between malicious hacking and ethical hacking, explaining that ethical hacking involves systematic testing to uncover security vulnerabilities with good intent. They identify two subtypes: authorized ethical hacking (contracted penetration testing, bug bounty programs) and unauthorized ethical hacking done for societal benefit without financial gain.

– **Legal Inconsistencies Across Jurisdictions**: The presentation highlights how different countries treat ethical hacking legally, with most jurisdictions failing to distinguish between ethical and malicious hacking. Poland is cited as a rare positive example with explicit statutory support, while countries like Germany, the US, and France rely on prosecutorial discretion rather than clear legal protections.

– **Current Legal Challenges for Ethical Hackers**: Despite following responsible disclosure practices, ethical hackers face legal uncertainty, potential prosecution, and emotional pressure. Even when not prosecuted, they may face investigations, reputational damage, and restrictions on sharing their findings for educational purposes.

– **Proposed Legal Framework Improvements**: The speakers outline four key elements for better regulation: legal certainty, explicit immunity for responsible disclosure, reframing of hacking in public perception, and clear differentiation between ethical and malicious activities. They also advocate for harmonized international regulations.

– **Need for Collaboration and Public Awareness**: The discussion emphasizes the importance of ethical hackers in cybersecurity, citing examples like the Heartbleed bug discovery and DEF CON voting village, while calling for better collaboration between private sector, ethical hacking community, and government.

## Overall Purpose:

The discussion aims to advocate for legal reform that would protect and encourage ethical hacking by establishing clear legal frameworks that distinguish between beneficial security research and malicious cybercrime. The speakers seek to educate the audience about the value of ethical hacking and promote policy changes that would provide legal certainty for security researchers.

## Overall Tone:

The tone is professional, educational, and advocacy-oriented throughout. The speakers maintain an informative approach while expressing clear frustration with current legal ambiguities. The tone remains consistently constructive, focusing on solutions rather than criticism, and becomes more engaging during the Q&A session where practical concerns about surveillance and brain drain are addressed with empathy and understanding.

Speakers

– **Tim Philipp Schafers**: Co-founder of Mint Secure, specializes in ethical hacking and criminal law in regards to computer crime

– **Carolin Kothe**: Trained lawyer, does software development in her law firm, deals with questions of standardization and citizen knowledge as part of her role at the Liquid Legal Institute

– **Audience**: Multiple audience members asking questions during the Q&A session (roles and expertise not specified)

Additional speakers:

None – all speakers were included in the provided speakers names list.

# Legal Challenges and Reform Needs for Ethical Hacking: A Comprehensive Discussion Summary

## Introduction and Context

This discussion brought together Tim Philipp Schafers, co-founder of Mint Secure specializing in ethical hacking, and Carolin Kothe (pronounced “Carolin Kothein Kothe”) from the Liquid Legal Institute, who combines legal expertise with software development experience in standardization and citizen knowledge. Their presentation addressed the critical legal challenges facing ethical hackers and the need for comprehensive legal reform to support cybersecurity efforts while protecting legitimate security researchers.

The speakers presented their analysis through a structured four-step approach: defining ethical hacking and its variants, explaining why ethical hacking is important, examining current legal frameworks across jurisdictions, and proposing solutions for legal reform.

## Defining Ethical Hacking and Its Variants

Carolin Kothe explained that hacking fundamentally involves systematic testing to uncover security vulnerabilities, with the crucial distinction between ethical and malicious hacking lying in three critical factors: intent, authorization, and methods employed. The actual judgment of whether hacking is ethical or malicious depends on these factors rather than the technical actions themselves.

Kothe distinguished between two distinct subtypes of ethical hacking: authorized ethical hacking, which includes contracted penetration testing and corporate bug bounty programs, and unauthorized but benevolent ethical hacking, conducted without individual contracts but motivated by societal benefit rather than financial gain.

Tim Philipp Schafers referenced the established hacker ethic from the 1980s, later extended by groups like the Chaos Computer Club, which established moral principles including breaking systems to enhance security, avoiding data littering, and protecting private information. He provided concrete examples including the discovery of the Heartbleed bug in OpenSSL affecting HTTPS connections, testing conducted at DEF CON voting villages, and responsible information handling. Schafers also mentioned historical examples like the Loft hacker collective’s testimony and Taiwanese activist groups who handled sensitive information responsibly.

## The Critical Importance of Ethical Hacking in Cybersecurity

Both speakers emphasized the indispensable role of ethical hackers in modern cybersecurity. Kothe highlighted that external security researchers provide the majority of security disclosure reports to Community Emergency Response Teams (CERTs), as recognized by regulations like the NIS2 directive. This external perspective proves essential because internal security teams may miss vulnerabilities due to familiarity with their own systems.

Schafers noted that “crowdsource defense works,” referencing the open source software model where distributed scrutiny by many contributors strengthens overall security. Corporate recognition of ethical hacking’s value has grown, with companies increasingly investing in bug bounty programs, though Schafers cautioned that hackers can be “uncautious with their wording” when asking for rewards, potentially creating legal complications.

The speakers emphasized that ethical hacking serves as crucial defense against increasing cybercrime costs, both monetary and in terms of privacy breaches and infrastructure disruption.

## Legal Framework Disparities Across Jurisdictions

The presentation revealed significant inconsistencies in how different countries approach ethical hacking within their legal systems. Kothe’s analysis demonstrated that most jurisdictions fail to distinguish between ethical and malicious hacking, creating uncertainty for security researchers.

Poland emerged as a rare positive example, with explicit statutory support stating that no offense is committed when hacking is conducted “solely on the purpose of securing a system.” Kothe termed this a “unicorn regulation” that represents what comprehensive legal protection could look like, yet remains exceptional.

The complexity varies considerably across jurisdictions. Some countries require bypassing security measures as an objective element of computer crime, while others treat authorization as either an objective element or a justification defense. Countries like Latvia incorporate substantial harm requirements, while Germany and Austria include intent to harm or enrich as subjective elements, which better distinguishes ethical from malicious hacking but still creates uncertainty.

## Current Legal Challenges and Prosecution Approaches

Despite following responsible disclosure practices, ethical hackers face considerable legal uncertainty. Schafers emphasized the emotional pressure security researchers experience when discovering vulnerabilities, lacking clear statutory protection even when acting with beneficial intent.

The speakers identified four approaches jurisdictions currently employ: explicit statutory support (Poland), additional legal requirements favoring ethical hackers, prosecutorial discretion policies creating safe harbors, and reliance on justification defenses.

Countries like the United States and France have implemented prosecutorial discretion policies. Kothe referenced the justice.gov website and French authority safe harbor details, but noted these approaches remain inadequate because security researchers still technically commit crimes and face restrictions on publishing findings for educational purposes.

Even without prosecution, the investigation process creates significant hardship through mental burden, potential reputation damage, and restrictions on sharing research findings that could benefit the broader security community.

## Proposed Solutions for Comprehensive Legal Reform

The speakers outlined their “wish list” of four essential elements for an ideal legal framework. First, legal certainty must be established so security researchers understand how to responsibly report vulnerabilities without fear of prosecution.

Second, explicit immunity should be codified in law rather than relying on prosecutorial discretion. Third, comprehensive reframing of hacking terminology and public perception is necessary to move away from purely negative connotations. Fourth, clear legal differentiation between ethical and malicious actors must be established in statutory frameworks.

The speakers advocated for harmonized international regulation, recognizing that software vulnerabilities affect multiple jurisdictions and fragmented national approaches create unnecessary complexity for companies acting internationally.

## Audience Engagement and Unresolved Implementation Issues

The question-and-answer session revealed additional complexities. One audience member asked about Germany’s progress after a failed referendum, prompting Kothe to explain details about the “not authorized a scene if” provision and burden of proof considerations in German legal reform attempts.

An important concern was raised about whether intent requirements might expose security researchers to intrusive surveillance practices. Another audience member, Janik, questioned potential brain drain effects, suggesting that legal uncertainty might push talented individuals toward black hat activities rather than legitimate white hat security research. Schafers responded by noting that anonymous reporting through onion networks represents one way people navigate these legal uncertainties.

The question of how far ethical hackers can proceed in their testing activities remains unresolved, as hacking involves a series of actions rather than a single act, raising complex questions about which specific actions are covered by legal justifications.

## Areas of Consensus and Approach Differences

Both speakers agreed that ethical hacking provides essential security benefits and should be clearly distinguished from malicious activities. They shared the view that current legal frameworks create harmful uncertainty for security researchers and that comprehensive legal reform including explicit statutory protection is necessary.

Both advocated for harmonized international regulation and recognized that societal perception of hacking needs fundamental change. They agreed that prosecutorial discretion approaches are inadequate solutions.

Differences emerged primarily in emphasis, with Kothe providing detailed technical legal analysis while Schafers focused more on practical implementation needs and public awareness requirements.

## Conclusions and Call to Action

The speakers established that current legal approaches fail to serve either security or justice interests effectively, creating uncertainty for beneficial actors while potentially driving talent toward malicious activities. They called for comprehensive rather than piecemeal reform, addressing statutory protections, public perception, international coordination, and practical implementation challenges.

The speakers concluded with specific action items: collecting and discussing points about better legal frameworks within companies and with lawmakers, sharing ideas about differentiating between malicious and ethical activities, working toward harmonized international regulation, and increasing public awareness through education and discussion.

The discussion highlighted that achieving comprehensive reform will require sustained effort and careful attention to unintended consequences, while recognizing the essential role ethical hackers play in protecting digital infrastructure and systems.

Tim Philipp Schafers: Hello and welcome to our talk Ethical Hacking for a Safer Internet. My name is Tim Philipp Schafers and today we will talk about criminal law in regards of computer crime and I’m the co-founder of Mint Secure. We are also doing ethical hacking and I’m happy to be here today with Carolin Kothe.

Carolin Kothe: My name is Carolin Kothein Kothe, I’m a trained lawyer. I’m also doing the software development in my law firm. I’m also dealing with questions of standardization and citizen knowledge as part of my role at the Liquid Legal Institute. So we will examine today the legal patchwork concerning the treatment of ethical hacking in different jurisdictions and want to kind of show you how a harmonized framework could look like that empowers ethical hackers to strengthen our IT landscape. We will proceed in four steps, which is first defining what hacking and ethical hacking actually means to start with a common ontology for our talk. Then we will continue with kind of emphasizing the importance of external hackers as indispensable and then we will continue showing you the main differences in jurisdictions in Europe. Last but not least we will envision how an ideal legal framework could look like as a start of a little discussion. So what is ethical hacking? Hacking has a negative connotation, a negative narrative to it, but what it actually means is that we just do the systematic test to uncover security vulnerabilities and systems and applications in networks and to judge the actual act we have to look at the intent, we have to look at the authorization, we have to look at the methods that the hacker actually used. So what people usually have in mind when they think of hacking is this kind of malicious act, meaning somebody seeks private gain, sabotage, theft, but there’s also ethical hacking and we can even distinguish ethical hacking in two subtypes. The one that is authorized, meaning companies that actually hire penetration test teams or do bug bounty programs to invite external testers to actually back their defenses and then we have the other even more highly debatable group which doesn’t have these individual contracts but actually is just working without seeking financial benefit but doing it out of society’s reason, society’s interest. And because of that we will actually show you the disclosure policies that all these hackers, no matter what kind of ethical hacking group you belong to, will look like. But first we want to emphasize why we’re actually having this talk. So there’s an increasing surge in cybercrime and with that comes a high increase of costs and we don’t only mean the monetary cost to it but also the intangible risk. And that is actually why the regulators already have recognized it, they have recognized that it’s a need to put pressure on companies to invest in their security systems and especially we have seen this in the NIST2 directive which even states that the majority of disclosure reports come actually from external testers. And the market reinforces this, so there are already plenty of companies that invest heavily in bug bounty programs where they pay those who report responsibly and we also see this with an increase of open source usage. Because open source relies on so many eyes, they take this kind of expertise of different people which know different kind of security vulnerabilities to then build up higher security barriers. So crowdsource defense works and open source is a living proof of that. So already this kind of discussion is going on for quite a while already and to make an example of that I can hand over to Tim to give you one of these examples.

Tim Philipp Schafers: Yeah, thank you very much Carolin Kothe. Actually here you can see a testimony from the Loft hacker collective. It’s kind of the first time where hackers were in direct exchange with politicans and as you can see this is still a while ago and at that time it was kind of the first remarks where it was mentioned that there is certain critical infrastructures, that there is a real harm that can exist there. But actually not that much has changed in regards of how the media perceives hackers In general, as Carolin Kothe mentioned, this is very often connotated with a negative framing. And actually we kind of want to flip that and also want to emphasize that hacking is also a possibility to enhance security. And very often one can hear that hacking is malicious or something, but actually if we look back at the so-called hacker ethic, we see that even within this community there is a huge understanding how to act and how to act morally. Here you can see an excerpt from the so-called hacker ethic, which basically describes how you should work as a real hacker. And there you can see again that, for example, the idea of breaking things to enhance them and to make them even more secure is a very basic principle which is already there. Furthermore, that you should not litter with other people’s data and also use public data and protect private data. So this is really a common ground and understanding. In the 1980s, this was first kind of proposed and discussed and later on it was extended by the Chaos Computer Club, for example, where many people thought about, OK, how can we handle hacking or what is really good hacking in that regard. And to my personal understanding, it’s really important to understand that breaking things always some kind helps of fixing things. We also have a few examples here, which might be familiar for you or not. I just want to briefly mention a few of those things. Actually, there was a so-called Heartbleed bug, which was a security vulnerability within OpenSSL, which is used for transport layer security. And in 2014, there was a serious vulnerability in that software, which is basically used by a lot of web servers on the Internet. Probably when you enter a website and enter HTTPS, this software is used on the server side to encrypt certain connections. And the good thing is that people very often find these bugs, report these bugs, and that they can fix. This is mostly how open source software, for example, is secured. There’s also the principle that you don’t disclose any information about the security vulnerability before it is fixed. This is also closely related to the hacker ethic you have seen before. Furthermore, a second example is, for example, the so-called DEF CON voting village. DEF CON is a security conference in the US. And there is a basic idea that, for example, voting machines are hardly tested by hackers to see whether they are secure or not. And of course, this also helps to enhance the security at that point and to make sure that those components are secured. As Caro mentioned before, for example, the NIST2 directive also aims in the direction of saying, okay, it makes sense to break certain things and fix them afterwards. This is the basic enhancement process, I would say. And the third example here is from a Taiwanese activist group. To me, this is also very important because a lot of people think in regards of hacking always from the technical standpoint. But for a lot of hackers, and also for me personally, hacking also is handling information responsibly. And in this case, for example, people were able to make use of public information and APIs, and made a more user-friendly way to disclose information. This is very often also something that hackers do. So just to give you a few examples, what can be done with hacking, and this is just a short excerpt. There are many more examples where security of software and products were enhanced in the past also by certain people, hacker collectives, and so on. And now I would hand over to Caroline so that we look at certain legal examples.

Carolin Kothe: So after Tim told you about the disclosure policies, you might think that if you follow those policies, you are not treated as a criminal. Yet statutory certainty is quite rare for ethical hackers. Most countries still equate ethical hacking with criminals. And we had a referendum in Germany, which was actually So due to that and due to the fact that usually companies act internationally, meaning their software is internationally used, meaning we have always different jurisdictions affected, we actually had a look into the other countries. And we did found one good example, one rare example in the Polish panel code, which actually explicitly supports ethical hacking in the sense that it says no offense is committed if you do it solely on the purpose of securing a system. And however, this is kind of a unicorn regulation, because other states don’t do this differentiation. They equate ethical hacking with malicious hacking on the first place. So I can hand over to Tim what it actually means in practice, if you equate malicious hacking with ethical hacking.

Tim Philipp Schafers: Yeah, so in general, one potentially can imagine that it’s combined with a lot of emotional pressure also when you find, for example, a certain vulnerability, but you are unsure whether this is fully covered by the law and how to potentially report this. So what we see is that ethical hackers often are threatened by the classical legal system or how the laws are working. And from my perspective, the core question is whether we want this so that also ethical hackers are put under pressure or don’t know how to report certain vulnerabilities, or if it doesn’t make more sense to say, hey, please, please hack public systems to secure them to responsibly report this. There are some community emergency response teams around the world that also receive reports and handle them. And in a few cases, of course, it helps to make systems even more secure. In other cases, there was also the case that certain hackers got a little bit of legal pressure and were not able to disclose or talk a lot about these topics.

Carolin Kothe: So to understand the main differences between the jurisdictions and how they treat ethical hacking, we need to clarify, at least on a brief level first, what actually makes an act a crime and what will be punished and what will be prosecuted. So a crime usually has two conditions to it. The first one is, did you fulfill all the elements of the offense that is stated by the law? And the second one is, is this act deemed lawful or unlawful? And it is unlawful if you lack any kind of legal justification for it, as we mentioned the authorization at the start. So let’s have a look at the main differences in the jurisdictions, starting from the act itself. So actually, we have in every kind of jurisdiction some variance of, I’m assessing, I’m altering, interfering with the system, I’m interfering with data. But what we also have is that some countries, but not all of them, have an additional bypassing of security measures in their samples. And we also have the element of authorization, sometimes as an objective element of the act and sometimes as a justification. And as stated, that makes a huge difference, because one means that even commissioned ethical hackers committed a crime but are justified, and the I-didn’t-commit-a-crime-at-all kind of variation. There’s another issue with the authorization, especially when it comes to third-party systems, because there is a dispute, whose authorization do I actually need to be completely covered? It could be that I’m commissioned by one company, but if I’m accidentally or by intention accessing a third-party system, I might need another system owner’s authorization too. So even commissioned hackers are always in that kind of gray area, which is obviously not what is wanted. You have also countries that have put these additional requirements that kind of put up a higher threshold to it, which is to the benefit of ethical hackers, and that one example would be Latvia, who says you need an extra substantial harm. And this kind of substantial harm, though it’s kind of a vague, ambitious term, because what does substantial actually mean? It does help ethical hackers, because especially if you see it as financial harm, this is usually not fulfilled by ethical hackers, and by that you have this kind of distinction to it. But when we look actually onto the subjective elements of an offense, we actually see that some countries put even a better threshold that even distinguishes more between ethical hacking and malicious attacks, and that is, the subject element usually says you intentionally and knowingly do what is stated in the objective offense, but if you also add the intent to harm someone or the intent to enrich yourself or a third party to the law, which is quite easily done, which was also done in the German referendum, but also for example Austria is doing that, this intent is actually what differentiates the ethical hacker from the malicious attacks, and by that you kind of do this distinguishing, so ideal version of doing it. As stated, even if you meet all these technical requirements, the act itself could still be rendered as lawful if you have a justification reason. And most hackers argue whether it’s a state of emergency for this personal data or there’s a state of emergency because it’s critical infrastructure and we all kind of are dependent on that, and this is kind of highly debatable, because what means immediate? The state has happened already quite a while before, the state is there for quite a while already. And there’s another even severe question to the justification reason argument, because hacking is not just one act, it’s a series of actions, and the question is what of these actions are actually covered by the justification reason? So how far can I as a hacker actually go and how far is too far? What is actually required? But after all these issues, we want to mention one good thing, kind of at least, which is that most countries that till that point still equate ethical hacking and malicious attacks actually do not convict or prosecute. And we see, for example, in the US and in France, that there are public enforcement discretives, like you can actually see on, for example, the USA, on the justice government website, where they state as long as you follow the responsible disclosure guidelines, we won’t prosecute. Or in case of France, if you report to our authority that is meant for security, well, then you have a safe harbor, we won’t tell your name, even if some kind of complaint is filed. As said, you still have committed a crime, and it’s just not kind of prosecuted. And this comes also with a little kind of snippet to it, because what hackers, especially ethical hackers, like to do is use what they have done for educational purposes and kind of publish it, and they are not allowed to do that. As soon as they do, all this kind of on-hold procedure is gone. And that is also not helpful, because we want people to publish what could be a security vulnerability and exchange on that. So to sum it up, we have basically four different legal approaches. We have that explicit statutory support, like in Poland, where we already have in the law this kind of framing of ethical hackers are not seen as criminals, optimal version. Then we have the second kind of favorable version of putting additional requirements to it that are really fulfilled by ethical hackers. Also good, not optimal, because we kind of like that reframing of the first version. And then we have the prosecution directives, meaning, as stated, for example, for France, creating this kind of safe harbor to it. The last one, which is still happening in most of the countries, is the least favorable one, because it lets the hacker rely on justification reasons, let’s see, basically the interpretation of different judges, he never knows what is going to happen. And then we also have the thing that the prosecution investigation is still ongoing, meaning that they might face hard procedures, they might face mental load of legal battles, they might even face reputation loss, which is especially affecting those who have another business as IT researchers, too, to it. And leaving me up to that one, I can hand over to Tim and ask him what his wish list for ideal legal framework would be.

Tim Philipp Schafers: Yeah, actually we thought about, okay, what might be helpful and for better legal framework we have outlined at least four things that are important. On the one hand is legal certainty needs to be established, so what Caro mentioned that in a lot of cases, as a hacker reports something, maybe a case is opened or not, but yeah, it would be great if it would be very clear. that you really know, okay, where is it possible to responsibly report certain security vulnerabilities and how to act in the legal framework. Then there’s another point, explicit immunity. So like we heard about safe harbor regulations, that this is really stated in the law that you are allowed to report certain security vulnerabilities. As mentioned before, a lot of computer emergency response teams around the world say, hey, please report us security vulnerabilities, but in the law, this case is not existing at all. So that is very important that also the lawmaker understands, okay, it makes sense and that ethical hacking helps to secure systems and enhance security of companies and for the society, for our society in general. Then this reframing of hacking so that this is not just a negative approach or that hacking harms certain people or system, but that is also very positive. Also in the media, as mentioned before, you can see that very often the term hacker is connotated negatively, but from our perspective, this must not be the case. It’s more the question how we perceive this and how those people really act. And there’s also a way of acting responsibly. And then the differentiation, as mentioned before, between ethical hacking and malicious actors. This is really important in a lot of cases, not the case in the law itself. So it just describes hacking as a bad thing, which might be something from the past and where we need to reframe this. Then some general actions or something we wish from your side, on the one hand, that you potentially collect this points about a better legal framework, also in discussions within your company, maybe also with lawmakers, that you kind of share the idea and describe why it makes sense to differentiate between malicious activities and ethical activities. Then a harmonized regulation would make sense because even if some countries adapt the change, the problem exists that if you, for example, find a certain security vulnerability in a software, it might be used in a lot of different countries and jurisdictions, which is also a problem because if you, as an ethical hacker, report a certain vulnerability in one country and then you report it in another country and one country has a stricter hacking law, so to say, then you would face legal problems. So it would make a lot of sense to have a harmonization of the regulation and the reporting ways in that regard. And in general, that’s also why we are giving the talk here, is to have a greater public awareness and empathy about those topics, so that it can be discussed. Because the ultimate goal from our perspective is that we really tackle security vulnerabilities, make it even harder for hackers to break systems, and for that a stronger collaboration between the private sector, the ethical hacking community and even the government is needed to enhance the security level. Because from our perspective, nowadays, sometimes they are still in their corner, so maybe the government is saying, hey, we need to prosecute hackers, because as we have seen, cybercrime is a big topic, that the hacking community tries to do certain things, tries to improve software with open source projects, as we have heard, and of course also the private companies have an interest in regards of really prosecute malicious intents, but maybe also, as Caro mentioned, with bug bounty programs, have a reward for ethical hacking and really use it as a driving force, which can help us to secure systems. Yeah, that maybe as an overview. So thank you very much. We would have the possibility for one or two questions, if there are any from the public, so to say. So thank you very much. So are there any questions or examples? So we have one here at the front.

Audience: Thank you. Not really an example, but just a question. See, I gather you are German. Do you have any idea where this is going in Germany? Try that referendum, which didn’t fly, I understand. Any other progress in sight?

Tim Philipp Schafers: Actually, we have a new government and they also put this in the plan for the next year, so to say. So my hope is that over the next couple of years, we will see some progress there. But the current or the last referendum thing now is gone. So it needs to be built up completely new, which is really important for our point of view, because the German law explicitly, yeah, not differentiates between ethical hacking and malicious attempts.

Carolin Kothe: The referendum, I think, ran there as I talked about it. The referendum that was there before the election actually included an exception for people who do it solely for the purpose of securing a system and has this additional intent as a requirement. But it’s a little bit still up to debate if it’s just an acceptable or even ideal solution, because what they did is they just added a paragraph to it and said not authorized a scene if, and that might seem like kind of like simple, like why does it matter? But some argue that this is actually putting a point on the question of who needs to prove what. Do I need now, some ethical hackers read that as do I now need to prove that I didn’t have a malicious intent? And in my view, that is not the case, because in Germany, you have the principle of the prosecutor needing to prove the stuff. And usually you have, when it comes to prosecution and they need to prove if you had a certain intent, then prosecutors will have a hard time struggling that you had this kind of intent of enrichment or intent of harming someone. Especially, there’s one little exception to that, because sometimes ethical hackers are a little bit uncautious with their wording in their reports and ask for, well, I would be happy if you would give me a reward for finding your vulnerability, and that could cause some suspicion. But except that, I think it’s fine.

Audience: Hi, yeah, thanks for the excellent presentation. I already raised my hand like a few minutes ago, and you started answering my question already. But I was wondering about this intent requirement, as you were just talking about, because I was wondering if it doesn’t maybe expose security researchers maybe to intrusive surveillance practices to like figure out if there was malicious intent. I was just wondering if you have any knowledge of something like this going on, or whether this is not possible under the current laws?

Tim Philipp Schafers: Actually, as Caro described, very often there are cases that are opened, and when a case is opened, there’s uncertainty for the people that are affected by that. And that could also mean for security researchers that they might be under surveillance, so to say, because somebody might need to find out, okay, what are they doing, why are they doing this, are they acting on their own, and so on. That’s why we need a clearer regulation on that, to make sure that people are not threatened, that people responsibly can report it and have kind of a peace of mind in what they are doing, because they are securing certain systems which are very important to us.

Audience: That’s why we graded the prosecution approach a little bit lower, because that means that there is already investigation if you have this intent, if you’re acting in good faith, if you have followed all the responsible disclosure guidelines, and that could, in practice, we actually know that this basically is you getting called, what did you do, what was your intention, and if they are then fine with you, then it’s good to go, but that is already causing a hard race for the ethical hacker itself, because he knows he’s part of this prosecution investigation. Hi, I’m Janik, I used to work in the industry, and what I saw at that time when I worked there, that it’s also a matter of brain drain, because people would go rather in the black hat direction and not in the white hat direction, just exclusively working over the onion net or something, would you say that it’s the case for today as well, or is it in a better state?

Tim Philipp Schafers: I mean, in some cases it makes sense to report security vulnerabilities anonymous, because you want to have your name attached to this, I know certain cases where this happened, but from my perspective it’s very sad that things like that are needed, or that security researchers might hide their activity behind the onion network or things like that, because it should be legal, because it really helps us to secure certain systems, and from my perspective it’s really something from the past that you say, okay, this is just illegal activity and needs to be prosecuted, because we have learned a lot through hacking to understanding how the world and systems work and how to improve them, because, I mean, every human makes mistakes, every program or computer can make mistakes, so it makes sense to recognize this and to change it to the better in regards of hacking in general, and maybe also to the law in that case. Okay, I think then we are fine, thank you very much for having us, and have a nice day. Thank you.

Agreement points

Ethical hacking provides essential security benefits and should be distinguished from malicious hacking

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Hacking involves systematic testing to uncover security vulnerabilities, with the actual judgment depending on intent, authorization, and methods used

External hackers are indispensable as the majority of disclosure reports come from external testers, as recognized by the NIST2 directive

The hacker ethic from the 1980s establishes moral principles including breaking things to enhance security, not littering with others’ data, and protecting private information

Breaking systems helps fix them, as demonstrated by examples like Heartbleed bug discovery, DEF CON voting village testing, and responsible information handling by activist groups

Summary

Both speakers agree that ethical hacking serves a vital security function and should be clearly differentiated from malicious activities based on intent, methods, and outcomes. They provide evidence of its effectiveness and established ethical principles.

Topics

Cybersecurity | Legal and regulatory

Current legal frameworks are inadequate and create uncertainty for ethical hackers

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Most countries equate ethical hacking with criminal hacking, creating statutory uncertainty for ethical hackers

Even when following responsible disclosure policies, ethical hackers lack statutory certainty and may still be treated as criminals

Ethical hackers face emotional pressure and uncertainty when finding vulnerabilities due to unclear legal coverage

Current prosecution approaches still involve investigation procedures that create mental burden and potential reputation loss for ethical hackers

Summary

Both speakers agree that existing legal systems fail to provide adequate protection for ethical hackers, creating uncertainty and stress even for those following best practices.

Topics

Legal and regulatory | Cybersecurity

Legal reform should include explicit statutory protection and clear differentiation

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Poland provides a rare positive example with explicit statutory support, stating no offense is committed when done solely for system security purposes

Legal certainty must be established so hackers know where and how to responsibly report vulnerabilities

Explicit immunity should be codified in law, not just stated by computer emergency response teams

Clear differentiation between ethical hacking and malicious actors should be established in legal frameworks

Summary

Both speakers advocate for comprehensive legal reform that provides explicit statutory protection for ethical hackers and establishes clear legal distinctions between ethical and malicious activities.

Topics

Legal and regulatory | Cybersecurity

Similar viewpoints

Both speakers believe in the effectiveness of collaborative, distributed approaches to cybersecurity and see market validation through increased corporate investment in ethical hacking programs.

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Crowdsourced defense works effectively, with open source software serving as proof that many eyes make security stronger

Companies are increasingly investing in bug bounty programs and recognizing the value of responsible vulnerability reporting

Greater public awareness and collaboration between private sector, ethical hacking community, and government is needed to enhance overall security

Topics

Cybersecurity | Economic

Both speakers recognize that the global nature of software and cybersecurity requires harmonized international legal approaches rather than fragmented national regulations.

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Harmonized international regulation is necessary since software vulnerabilities affect multiple jurisdictions

Legal frameworks differ in their elements: some require bypassing security measures, others have authorization as objective elements vs. justifications, creating confusion about whose authorization is needed for third-party systems

Topics

Legal and regulatory | Jurisdiction

Both speakers believe that societal perception of hacking needs to change and that current prosecutorial discretion approaches are insufficient because they still treat ethical hacking as criminal and restrict educational sharing.

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Reframing of hacking is needed to move away from purely negative connotations in media and public perception

Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes

Topics

Sociocultural | Legal and regulatory

Unexpected consensus

Prosecution discretion approaches are inadequate despite being more favorable than criminalization

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes

Legal investigations can cause hardship for ethical hackers even when they ultimately face no prosecution

Explanation

It’s somewhat unexpected that both speakers would criticize what might seem like progressive approaches (prosecutorial discretion) as still inadequate. This shows their commitment to fundamental legal reform rather than accepting partial solutions.

Topics

Legal and regulatory | Cybersecurity

The importance of educational sharing and publication of security findings

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes

Greater public awareness and collaboration between private sector, ethical hacking community, and government is needed to enhance overall security

Explanation

The emphasis on the right to publish and share security research findings for educational purposes represents an unexpected consensus on the importance of knowledge dissemination beyond just vulnerability reporting.

Topics

Cybersecurity | Human rights

Overall assessment

Summary

There is strong consensus between the two main speakers on the fundamental issues: ethical hacking provides essential security benefits, current legal frameworks are inadequate and harmful, and comprehensive legal reform with explicit statutory protection is needed. They also agree on the need for international harmonization and societal reframing of hacking.

Consensus level

Very high consensus between the main speakers, with audience questions reinforcing concerns about current legal approaches. This strong agreement suggests a well-developed shared understanding of the problems and solutions in this field, which could facilitate coordinated advocacy for legal reform.

Different viewpoints

Adequacy of prosecution discretion approaches vs. statutory reform

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes

Explicit immunity should be codified in law, not just stated by computer emergency response teams

Summary

While Kothe acknowledges prosecution discretion as a partial solution, Schafers emphasizes the inadequacy of this approach and the need for explicit legal immunity. Kothe presents it as one of four approaches while Schafers argues it’s insufficient because it still treats ethical hacking as criminal.

Topics

Legal and regulatory | Cybersecurity

Unexpected differences

Scope of surveillance concerns in intent-based legal frameworks

Speakers

– Audience
– Tim Philipp Schafers
– Carolin Kothe

Arguments

Intent requirements may expose security researchers to intrusive surveillance practices to determine malicious intent

Legal investigations can cause hardship for ethical hackers even when they ultimately face no prosecution

Explanation

An audience member raised concerns about surveillance implications of intent-based frameworks, which the speakers had not fully addressed despite advocating for intent-based legal distinctions. This revealed a potential tension between their proposed solutions and privacy concerns.

Topics

Human rights | Privacy and data protection | Legal and regulatory

Overall assessment

Summary

The discussion showed minimal direct disagreement between the main speakers, who were largely aligned in their goals. The primary tension was between different approaches to legal reform rather than fundamental disagreements about objectives.

Disagreement level

Low disagreement level among main speakers, with most differences being matters of emphasis rather than substance. The audience questions revealed some unaddressed concerns about implementation details, but overall there was strong consensus on the need for legal reform to protect ethical hackers. This high level of agreement suggests the speakers were presenting a unified advocacy position rather than debating competing approaches.

Partial agreements

Similar viewpoints

Both speakers believe in the effectiveness of collaborative, distributed approaches to cybersecurity and see market validation through increased corporate investment in ethical hacking programs.

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Crowdsourced defense works effectively, with open source software serving as proof that many eyes make security stronger

Companies are increasingly investing in bug bounty programs and recognizing the value of responsible vulnerability reporting

Greater public awareness and collaboration between private sector, ethical hacking community, and government is needed to enhance overall security

Topics

Cybersecurity | Economic

Both speakers recognize that the global nature of software and cybersecurity requires harmonized international legal approaches rather than fragmented national regulations.

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Harmonized international regulation is necessary since software vulnerabilities affect multiple jurisdictions

Legal frameworks differ in their elements: some require bypassing security measures, others have authorization as objective elements vs. justifications, creating confusion about whose authorization is needed for third-party systems

Topics

Legal and regulatory | Jurisdiction

Both speakers believe that societal perception of hacking needs to change and that current prosecutorial discretion approaches are insufficient because they still treat ethical hacking as criminal and restrict educational sharing.

Speakers

– Carolin Kothe
– Tim Philipp Schafers

Arguments

Reframing of hacking is needed to move away from purely negative connotations in media and public perception

Some countries like the US and France have prosecution discretion policies creating safe harbors, but hackers still technically commit crimes and cannot publish their findings for educational purposes

Topics

Sociocultural | Legal and regulatory

Key takeaways

Ethical hacking should be legally distinguished from malicious hacking based on intent, authorization, and methods used

Current legal frameworks in most countries treat ethical and malicious hacking equally, creating uncertainty and potential criminalization of beneficial security research

External ethical hackers are essential for cybersecurity, with the majority of vulnerability disclosures coming from external testers

Poland provides the best legal model with explicit statutory support for ethical hacking when done solely for system security purposes

Four legal approaches exist: explicit statutory support (optimal), additional requirements favoring ethical hackers, prosecution discretion policies, and reliance on justification defenses (least favorable)

Legal uncertainty may cause brain drain from white hat to black hat activities and discourage beneficial security research

Harmonized international regulation is necessary since software vulnerabilities affect multiple jurisdictions

Resolutions and action items

Collect and discuss points about better legal frameworks within companies and with lawmakers

Share ideas about differentiating between malicious and ethical activities to promote understanding

Work toward harmonized international regulation for vulnerability reporting

Increase public awareness and empathy about ethical hacking through education and discussion

Foster stronger collaboration between private sector, ethical hacking community, and government to enhance security

Unresolved issues

Germany’s new government plans to address ethical hacking legislation but timeline and specific approach remain uncertain

Debate continues over whether intent requirements place burden of proof on ethical hackers

Concerns about potential intrusive surveillance of security researchers to determine intent remain unaddressed

Question of how far ethical hackers can go in their testing activities and what actions are covered by legal justifications

Uncertainty about whose authorization is needed when accessing third-party systems during security research

Issue of ethical hackers being unable to publish findings for educational purposes under current prosecution discretion policies

Suggested compromises

Prosecution discretion policies that create safe harbors for ethical hackers who follow responsible disclosure guidelines (as implemented in US and France)

Adding substantial harm requirements to legal frameworks to create higher thresholds that favor ethical hackers

Including intent to harm or enrich as subjective elements in laws to better distinguish ethical from malicious hacking

Creating explicit exceptions in law for those acting solely to secure systems while maintaining overall computer crime protections

We can even distinguish ethical hacking in two subtypes. The one that is authorized, meaning companies that actually hire penetration test teams or do bug bounty programs… and then we have the other even more highly debatable group which doesn’t have these individual contracts but actually is just working without seeking financial benefit but doing it out of society’s reason, society’s interest.

Speaker

Carolin Kothe

Reason

This distinction is crucial because it identifies the core legal challenge – while authorized ethical hacking has some legal protection through contracts, unauthorized ethical hacking done for societal benefit exists in a legal gray area. This nuanced categorization moves beyond the simple ‘good hacker vs bad hacker’ narrative to reveal the complexity of motivations and legal standings.

Impact

This comment established the fundamental framework for the entire discussion. It shifted the conversation from a binary view of hacking to a more sophisticated understanding that would inform all subsequent legal analysis. The presenters repeatedly returned to this distinction when discussing different jurisdictions and legal approaches.

Most countries still equate ethical hacking with criminals… And we did found one good example, one rare example in the Polish panel code, which actually explicitly supports ethical hacking in the sense that it says no offense is committed if you do it solely on the purpose of securing a system. And however, this is kind of a unicorn regulation, because other states don’t do this differentiation.

Speaker

Carolin Kothe

Reason

This observation is particularly insightful because it demonstrates that legal frameworks CAN distinguish between ethical and malicious hacking, but most choose not to. The term ‘unicorn regulation’ effectively captures how rare progressive legal thinking is in this area, highlighting the gap between what’s possible and what’s implemented.

Impact

This comment served as a pivotal moment that transitioned the discussion from theoretical concepts to concrete legal realities. It provided hope (Poland’s example) while emphasizing the widespread problem, setting up the subsequent detailed analysis of different jurisdictional approaches.

There’s another even severe question to the justification reason argument, because hacking is not just one act, it’s a series of actions, and the question is what of these actions are actually covered by the justification reason? So how far can I as a hacker actually go and how far is too far?

Speaker

Carolin Kothe

Reason

This comment reveals a sophisticated understanding of the practical complexities that legal frameworks fail to address. It moves beyond theoretical discussions to the granular reality of how ethical hacking actually works – as a process involving multiple steps, each potentially requiring separate legal justification.

Impact

This observation deepened the technical legal analysis and highlighted why simple legal fixes are insufficient. It demonstrated that even well-intentioned legal protections may be inadequate because they don’t account for the multi-step nature of security research, adding complexity to the discussion of ideal legal frameworks.

I was wondering about this intent requirement… because I was wondering if it doesn’t maybe expose security researchers maybe to intrusive surveillance practices to like figure out if there was malicious intent.

Speaker

Audience member

Reason

This question introduced an unexpected dimension – the potential for legal protections themselves to create new problems. It showed sophisticated thinking about unintended consequences and how attempts to protect ethical hackers might paradoxically harm them through surveillance.

Impact

This question elevated the discussion by introducing the concept that legal solutions might create new problems. It prompted the speakers to acknowledge that even ‘better’ legal approaches (like prosecution discretion) still involve investigations that can harm ethical hackers, reinforcing their argument for clearer statutory protections.

What I saw at that time when I worked there, that it’s also a matter of brain drain, because people would go rather in the black hat direction and not in the white hat direction, just exclusively working over the onion net or something.

Speaker

Audience member (Janik)

Reason

This comment introduced a critical societal consequence that hadn’t been explicitly discussed – that unclear legal frameworks may actually push talented individuals toward malicious activities. It connected legal policy to broader cybersecurity outcomes in a concrete way.

Impact

This observation added urgency to the discussion by suggesting that poor legal frameworks don’t just harm individual ethical hackers, but may actively contribute to cybercrime by driving talent toward illegal activities. It reinforced the speakers’ arguments about the societal benefits of clear legal protections.

Overall assessment

These key comments transformed what could have been a straightforward legal presentation into a nuanced exploration of complex policy challenges. The speakers’ sophisticated categorization of ethical hacking types and jurisdictional approaches provided a solid analytical framework, while the audience questions introduced unexpected dimensions like surveillance concerns and brain drain effects. Together, these comments revealed that the issue extends far beyond simple legal reform – it involves balancing security needs, individual rights, societal benefits, and unintended consequences. The discussion evolved from describing the problem to exploring why solutions are complex and why the stakes are higher than initially apparent, ultimately making a compelling case for urgent, thoughtful legal reform.

What is the current status and future progress of ethical hacking legislation in Germany following the failed referendum?

Speaker

Audience member

Explanation

The audience member specifically asked about progress in Germany after the referendum didn’t pass, and while Tim mentioned the new government has plans, the specific timeline and approach remain unclear

Do intent requirements in ethical hacking laws expose security researchers to intrusive surveillance practices to determine malicious intent?

Speaker

Audience member

Explanation

This question addresses a potential unintended consequence of legal frameworks that require proving intent, which could lead to privacy violations for legitimate security researchers

Is there currently a brain drain problem where potential ethical hackers choose black hat activities over white hat due to legal uncertainties?

Speaker

Janik (audience member)

Explanation

This question explores whether unclear legal frameworks are pushing talented individuals toward illegal hacking activities rather than legitimate security research, which would be counterproductive to cybersecurity goals

How can harmonized international regulation be achieved given the complexity of different legal systems and jurisdictions?

Speaker

Tim Philipp Schafers and Carolin Kothe

Explanation

While they identified the need for harmonized regulation, the practical steps and mechanisms for achieving international coordination on ethical hacking laws were not detailed

What constitutes ‘substantial harm’ in jurisdictions like Latvia that use this threshold, and how can this vague term be better defined?

Speaker

Carolin Kothe

Explanation

Carolin noted that ‘substantial harm’ is an ambiguous term that helps ethical hackers but lacks clear definition, which could lead to inconsistent application

How far can ethical hackers go in their testing activities when relying on justification reasons, and what specific actions cross the line?

Speaker

Carolin Kothe

Explanation

This addresses the practical boundaries of ethical hacking activities and what constitutes acceptable versus excessive testing when operating under legal justifications

Whose authorization is actually required when ethical hackers access third-party systems during commissioned testing?

Speaker

Carolin Kothe

Explanation

This legal gray area affects even commissioned ethical hackers and needs clarification to provide proper legal protection