VOSTOUPAL, Jakub, Václav STUPKA, Jakub HARAŠTA, František KASL, Pavel LOUTOCKÝ and Kamil MALINKA. The Legal Aspects of Cybersecurity Vulnerability Disclosure: To the NIS 2 and Beyond. Computer Law & Security Review. Great Britain: Elsevier, 2024, vol. 2024, No 53, p. 1-18. ISSN 0267-3649. Available from: https://dx.doi.org/10.1016/j.clsr.2024.105988.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name The Legal Aspects of Cybersecurity Vulnerability Disclosure: To the NIS 2 and Beyond
Authors VOSTOUPAL, Jakub (203 Czech Republic, guarantor, belonging to the institution), Václav STUPKA (203 Czech Republic, belonging to the institution), Jakub HARAŠTA (203 Czech Republic, belonging to the institution), František KASL (203 Czech Republic, belonging to the institution), Pavel LOUTOCKÝ (203 Czech Republic, belonging to the institution) and Kamil MALINKA (203 Czech Republic, belonging to the institution).
Edition Computer Law & Security Review, Great Britain, Elsevier, 2024, 0267-3649.
Other information
Original language English
Type of outcome Article in a journal
Field of Study 50501 Law
Country of publisher United Kingdom of Great Britain and Northern Ireland
Confidentiality degree is not subject to a state or trade secret
WWW Odkaz na publikovaný text výsledku
Impact factor Impact factor: 2.900 in 2022
Organization unit Faculty of Law
Doi http://dx.doi.org/10.1016/j.clsr.2024.105988
UT WoS 001251010700001
Keywords in English Bug bounty; Liability; Vulnerability disclosure; Ethical hacking; Penetration testing; Criminal law
Tags International impact, Reviewed
Changed by Changed by: JUDr. Mgr. Jakub Harašta, Ph.D., učo 323070. Changed: 10/7/2024 08:54.
Abstract
This paper focuses on the legal aspects of responsible vulnerability disclosure, bug bounty programs and legal risks associated with their implementation in the Czech Republic. Firstly, the authors introduce the basics of vulnerability disclosure procedures, identify different organisational models, and identify risks that may arise on the part of the organisation launching the bug bounty program or the hackers participating in it. The identified risks are divided into those arising from civil law, administrative law, and criminal law. For each identified risk, the authors then propose appropriate technical, organisation or legal solutions that can be applied to eliminate or reduce these risks. Nevertheless, the authors identified two areas that cannot be sufficiently mitigated through existing tools and laws and are likely to require legislative intervention – the matter of safeguarding the anonymity of reporters through confidentiality and the problematic ability to consent to the testing procedures by the public bodies.
Links
EF16_019/0000822, research and development projectName: Centrum excelence pro kyberkriminalitu, kyberbezpečnost a ochranu kritických informačních infrastruktur
PrintDisplayed: 26/7/2024 19:36