(France) Eric Barbry: Actually, in my opinion, there is no specific text on this question in French law. However, this question could be solved in regard of other regulations, especially criminal law. The French penal code punishes fraudulent access or remain within all or part of an automated data processing system. Moreover, the article 323-3-1 of the criminal code stipulates: "Person who, without lawful authority, imports, possesses, offers, transfers or makes available any equipment, instrument, computer program or information created or specially adapted to commit one or more of the offenses prohibited by articles 323-1 to 323-3, is punished by the penalties prescribed for the offense itself, or the one that carries the heaviest penalty".

Therefore, It seems possible to punish the disclosure of security vulnerabilities in software, on the basis of theses articles if unlawful access has been committed or if the disclosure has been realized in the condition of the article 323-3-1. The risk of prosecution depends on the particulars of the security of the information system which is accessed.

Thus, in a decision of October 2002 [Cour d'Appel de Paris, Tati / Kitetoa, 30 octobre 2002], the Court of appeal of Paris (charged) a journalist who had accessed the information system of Tati. The objective of this journalist was to reveal security vulnerabilities on his website, Kitetoa. The Court did not consider the objective of (gathering) the information to (trump) the offense of intrusion on the information system. However, the Court did consider that the information system was "insufficiently secured" and that the offense of intrusion couldn't be committed on an "insufficiently secured" system.

The other criminal basis to punish disclosure of security vulnerabilities in software is counterfeiting regulations. In a decision of February 2006 [Cour d'appel de Paris 13Ëme chambre, section A. ArrÍt du 21 fÈvrier 2006. Guillaume T. (dit Guillermito) / Eyal D., Tegam International], the Paris Court of Appeals convicted Mr G. for counterfeit ing the Viguard Software. Mr G was interested in software vulnerabilities, and he disclosed on internet vulnerabilities of the Viguard software. The problem is that Mr G wasn't (the owner) of a license on the software and that he copied and disassembled certain elements of the software to publish them on Internet.

In the other cases, It will be more difficult to punish a disclosure, excepted if this disclosure is a violation of business secrets or an act of unfair competition.

(Germany) Marco Gercke: Marco gave a detailed interview to SecurityFocus and talked about vulnerability disclosure.

(Greece) Irini Vassilaki: Greek law does not explicitly prohibit the disclosure of vulnerabilities in software. The only provision that could cover this issue is Art. 370C par. 2 of the Greek criminal code that punishes hacking. This normally punishes the access to data that are stored in a computer system or are transported via telecommunications networks. The act must be committed "without right". This is especially the case when the access takes place through the violation of security measures, which have be taken by the owner or other right holder of the system.

There is no case law according the interpretation of Art. 370C par. 2 GrCC. According the legal literature "without right" is every activity that takes place without the authorization of the right holder of the system. Therefore, any interference with the software that could (result in) the disclosure of vulnerabilities and occurs beyond such authorization takes place "without right".

For the prosecution of this offense, a complaint is required. I cannot imagine, however, that the disclosure of the vulnerabilities of software will be reported to the police by the right holder. This would have as result that the "weak parts" of the software would be public and this would have negative consequences for the right holder.

(Hungary) Ferenc Suba: Before you disclose a security vulnerability in software, you should ask yourself a couple of questions to clarify the legal consequences of your action in Hungary. First you should validate, whether the information you give to the public is correct. If you publish incorrect vulnerability information, you may be liable for damages according to civil law, because you have damaged the reputation of the software producer.

Having checked that, you should pose the question whether the disclosure hurts the rights or legitimate interests of the software producer, any other third person or the public order. Concentrating on the software producer, you will not infringe any portion of this copyright or patent rights -- in case of computer implemented inventions -- if you limit the disclosure to the vulnerability itself and you do not extend the publication to the parts of the software that are protected by the Copyright Act, the Patent Act or even the Penal Code.

If you look at third parties and public order, it is always important to show that you are acting in good faith, i.e. you are not disclosing the vulnerability to enable others to commit a crime against information systems, since it would fall under a crime regulated in the Penal Code. This can be done by attaching a patch information to the vulnerability.

Having paid attention to the above, you can be sure that the disclosure will be a legal one and in conformity with the relevant provisions of civil and penal laws of Hungary. Moreover, the legal disclosure of security vulnerabilities in softwares can be seen as an action that supports the fulfillment of regulatory requirements laid down in the Data Protection Act (in respect to data protection), the Act on Credit Institutions (in respect to the protection of their information systems), the Act on Electronic Communications (in respect to the protection of the electronic communication and information systems), and the Government Decree on the National Security Supervisory Authority (in respect to the electronic security of the institutions falling under the scope the authority).