Yes, because any circumvention of any form of security, be it as useless as a hardcoded default password, is considered a crime in German law. So even the discovery of a security flaw puts you with one foot in jail, because technically you did something you are not supposed to.
Interestingly, I didn’t have to circumvent any security measures to uncover the vulnerability. They had a page that was leaking api keys - all you had to do was watch the network requests. That’s why I chalk it up to luck and not my prowess in cyber security.
Not like there have been no initiatives. But given that our biggest party also sued after someone pointed out their technical fuck-ups it is not likely to happen.
I know a guy who did exactly that and got sued. The security failure he reported even was a Straftatbestand committed by the company and so he won the process. German companies really love shooting themselves in the foot.
Over here, not just sued, but sued for extortion because they had the audacity to ask for bug bounty. Ok then, if I ever find a security hole that exposes sensitive data, filing a gdpr report it is
For the record, I didn’t bring up a bounty, but I still received payment. It helps that it is a small company, and that the CEO is also a developer. They were so grateful for the discovery that the bounty was freely offered without me asking.
You are braver than I am because here in Germany usually people get sued for reporting security vulnerabilities.
Yep, don’t do that if you live in a Internet ist Neuland country.
tf? They should offer you a job if anything.
That is if you’d live in a place with an open attitude toward new technologies.
But the technology is already there in place, and you get sued if you point out security flaws in it? Crazy.
Yes, because any circumvention of any form of security, be it as useless as a hardcoded default password, is considered a crime in German law. So even the discovery of a security flaw puts you with one foot in jail, because technically you did something you are not supposed to.
Interestingly, I didn’t have to circumvent any security measures to uncover the vulnerability. They had a page that was leaking api keys - all you had to do was watch the network requests. That’s why I chalk it up to luck and not my prowess in cyber security.
Time for some reform. Finding security holes is very important and benefits everyone.
Not like there have been no initiatives. But given that our biggest party also sued after someone pointed out their technical fuck-ups it is not likely to happen.
I know a guy who did exactly that and got sued. The security failure he reported even was a Straftatbestand committed by the company and so he won the process. German companies really love shooting themselves in the foot.
Over here, not just sued, but sued for extortion because they had the audacity to ask for bug bounty. Ok then, if I ever find a security hole that exposes sensitive data, filing a gdpr report it is
For the record, I didn’t bring up a bounty, but I still received payment. It helps that it is a small company, and that the CEO is also a developer. They were so grateful for the discovery that the bounty was freely offered without me asking.
I’m glad that it worked out for you. May you always encounter levelheaded proper in life