A guide to safely reporting discovered vulnerabilities

Ethical hackers aim to serve the public interest, but they may still face criminal charges. Unauthorised penetration testing is against the law, so it is important to prove in all cases that your activities are not malicious.

Before exploring the vulnerability, be aware of the Criminal Code: be sure to read Article 375, "Fraud using an information system". If in doubt, consult a legal expert.

Basic principles for ethical operation:

1. Public interest objectives

   The detection of errors should always be in the public interest. Benefit or personal interest should not be a motivation. It is not necessary to offer free bug fixes, but hacking for profit is very difficult to defend.  The only exception should be working registered in a bug bounty program,

2. Documentation

   Keep a detailed record of all steps, including troubleshooting, communication and changes. Also document why you started looking for a problem, how your actions serve the public interest.

3. Transparency

   Don't hide your tracks and demonstrate that your activities are not hidden or malicious. If data changes are made, record every step in detail.

4. Contact

   Report detected errors to the relevant decision-makers as soon as possible, without blackmail. Do not attach any conditions to the presentation of errors and ensure that those responsible have access to all information needed to solve the problem. Document the messages sent and the reactions received.

5. Moderation

   Go only as far as you are asked to in your excavations and do not return without permission. If the data subjects specifically ask you not to carry out further exploration, respect this.

6. Going public

   Only go public if the parties concerned do not react within a reasonable time and the public interest justifies action. Do not share information that could be misused. Describe the problem in general terms, so that lay people can understand it, but malicious hackers cannot exploit the flaw.

7. Protection of personal data

   Do not search or save personal data. If it is necessary to access such data, record that the data subject has consented.
   Avoid at all costs obtaining or disclosing sensitive data (e.g. state secrets).

8. Special cases

   If the problem identified concerns a public matter (e.g. corruption, abuse of power), it may be appropriate to inform the public first. Again, care should be taken to ensure proportionality and only disclose as much information as is necessary for the purpose.

9. A targeted approach to identifying errors

   In the case of public or municipal organisations, the whistleblower protection can be applied if the rules are followed. In the case of private companies, it is also important to ensure that the detection of errors is in the interests of as many people as possible. Avoid investigating smaller, less relevant targets because they are difficult to defend in court.