Portugal Updates Cybercrime Law To Protect Good-Faith Security Researchers

Portugal has updated its cybercrime law to offer legal protection to security researchers who probe systems in good faith and report vulnerabilities responsibly. The change creates a legal safe harbor for ethical hacking, turning what was previously classified as illegal access or data interception into a non-punishable act when strict conditions are met.
The new provision appears in Article 8.o-A under the title “Acts not punishable due to public interest in cybersecurity.” 

It states that hacking activities aimed at finding vulnerabilities and improving cybersecurity will not lead to criminal charges if several requirements are followed.
To qualify for legal protection, researchers must act only to identify weaknesses that they did not introduce and must not seek financial reward beyond normal professional compensation. They must report the issue immediately to the system owner, any relevant data controller and the Portuguese cybersecurity authority CNCS. 

The law also requires that actions remain limited to what is necessary for detection. Researchers cannot disrupt services, modify data, steal information or cause damage. Personal data protected under GDPR must not be processed illegally, and banned techniques such as DDoS attacks, phishing, malware deployment and social engineering are not allowed. 

Any sensitive data accessed during testing must be kept confidential and deleted within 10 days after the vulner

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.