Practically exploitable security gaps in hardware and software threaten the IT security of private and state infrastructures. Eliminating these gaps is desirable for all actors – product manufacturers, operators and users.
The authors of this policy brief, Oliver Vettermann, Manuela Wagner, Maximilian Leicht and Felix Freiling, shed light on the current situation in dealing with IT security vulnerabilities. They point out conflicts that exist in practice between manufacturers and independent, proactive IT security researchers or ethical hackers. Coordination and reporting procedures such as the Coordinated Vulnerability Disclosure (CVD) process are currently neither legally binding nor implemented comprehensively. Due to these legal uncertainties for researchers, deterrent effects can be observed.
Legal impulses for a legal framework
In order to eliminate security gaps and make existing systems more resilient in the long term for all those affected, the authors point out legal impulses for a legal framework. This includes, among other things, the legal formulation of the constitutional protection mandate to guarantee IT security, which requires a balance of the multipolar fundamental rights and interests between researchers, product users and manufacturers or companies. Similarly, obstacles in criminal law should be removed, and IT security research should be anchored in the IT security landscape when amending IT security and data protection law.
Establishment of a reporting and coordination authority
As a second solution, the authors propose the establishment of a reporting and coordination authority, which should be involved in the legally implemented processes. Such a body could ensure a coordinated balancing of interests and mediation between all parties involved and thus establish a basis of trust in reporting a security vulnerability to its publication and rectification. In this way, process-oriented but transparent communication occurs between everyone, which is necessary to close IT security gaps effectively and sustainably.
Dr. Margret Hornsteiner
Head of Communications and Dialogue, bidt
Enquiries about the study
Prof. Dr.-Ing. Felix Freiling
Member of bidt's Board of Directors | Chair of Computer Science 1 (IT Security Infrastructures), Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)