Portugal has modified its cybercrime law to establish a legal safe harbor for good-faith security research and to make hacking non-punishable under certain strict conditions.
First spotted by Daniel Cuthbert, a new provision in Article 8.o-A, titled “Acts not punishable due to public interest in cybersecurity,” provides a legal exemption for actions that previously were classified as illegal system access or illegal data interception.
The exemption only applies when security researchers act for the purpose of identifying vulnerabilities and contributing to cybersecurity. The key conditions that must be met to beee safe from criminal liability are:
- The research must aim solely at identifying vulnerabilities not created by the researcher and at improving cybersecurity through disclosure.
- The researcher cannot seek or receive any economic benefit beyond normal professional compensation.
- The researcher must immediately report the vulnerability to the system owner, any relevant data controller, and the CNCS.
- The actions must be strictly limited to what is necessary to detect the vulnerability and must not disrupt services, alter or delete data, or cause harm.
- The research must not involve any unlawful processing of personal data under GDPR.
- The researcher must not use prohibited techniques such as DoS or DDoS attacks, social engineering, phishing, password theft, intentional data alteration, system damage, or malware deployment.
- Any data obtained during the research must remain confidential and be deleted within 10 days of the vulnerability being fixed.
- Acts performed with the system owner’s consent are also exempt from punishment, but any vulnerabilities found must still be reported to the CNCS.
The new article clearly defines the limits of security research, and at the same time provides legal protection for well-intended hackers.
In November 2024, the Federal Ministry of Justice in Germany introduced a draft law that provided similar protections to security researchers who discover and responsibly report security flaws to vendors.
Earlier, in May 2022, the U.S. Department of Justice (DOJ) announced revisions to its federal prosecution policies regarding Computer Fraud and Abuse Act (CFAA) violations, adding an exemption for “good-faith” research.
Under these legal frameworks, security research is not only recognized but also given the safe space to proactively probe systems, uncover vulnerabilities, and report them without fear of legal consequences.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.