(Ireland) TJ McIntyre: We have no law in this area as of yet. It is possible that possession of hacking tools or a crack or exploit code might amount to the offense of possession of an item with intent to damage property (note that property includes data). It is also possible that the method used to discover a vulnerability might itself amount to a crime under s.5 CDA 1991 or s.9 Criminal Justice (Theft and Fraud Offences) Act 2001. There may also be contractual or licence provisions which restrict a user's ability to disclose vulnerabilities. Otherwise though this area is a blank slate.

(Italy) Gabriele Faggioli: No legal measure exists in our ordinance that specifically refers to vulnerabilities and/or exploits. However, some norms do exist that abstractly can be considered applicable to research and the publication of vulnerability and/or exploits. First of all, it is important to consider that research into vulnerabilities related to operating systems and applications is not always be considered a legal activity. With reference to proprietary software -- with closed-source code -- precise norms are defined by the law on copyrights (Law n. 633 of 22nd April 1941 and subsequent modifications). On the one hand, (the laws) allow the legitimate owner of a copy to observe, study or subject operation of the program to a test, with the objective of establishing the ideas and principles upon which each element of the program is based -- if such activities are performed during the loading, visualization, execution, transmission or storage operations of the program. On the other hand, the possibility of performing de-compilation operations are limited to special cases, such as the achievement of inter-operability with other programs.

Implemented in accordance with the law on copyrights, research and the subsequent publication of vulnerabilities related to a software is not illegal as long as some specific details are adopted. In particular, the person that discovers the vulnerabilities should inform the manufacturer of the program that the vulnerability refers to, in advance in order to allow him to create a "patch" before any possible publication. In the absence of this prior transmission of information, the individual that has disseminated the vulnerability may be called upon to compensate, on a civil level, damages caused by third parties due to the effect of its publication. This behavior may be considered contrary to the principle of good faith, as such damages, even if they are involuntary, generated indirectly by the integral publication of vulnerabilities, could have been avoided or limited through a much more diligent behavior by the person in charge of their diffusion.

Another topic applies to research of vulnerability that refers to specific information technology systems implemented by third parties -- for example by a company. These research activities may integrate the abusive computer access crime regulated by article 615/ter of the penal code if used, for example, through penetration tests not authorized by the company. The norm indicated, in reality, specifically punishes the behavior of anybody that illegally enters a computer system protected by safety measures or remains in the system against the specific desire of whoever has the right to exclude him, and the crime can be punishable as a pure attempt. The subsequent publication of vulnerabilities may, in this case, have an independent penal importance. Article 615/quarter of the penal code ("Abusive detention and diffusion of access codes to computer or remote systems") considers it a crime for an individual who, with the objective of creating profit for himself or for others or creating damages to others, illegally obtains, reproduces, diffuses, communicates or delivers codes, passwords or other suitable means for access to a computer or remote system, protected by safety means, or provides indications or instructions suitable for the aforementioned purposes.

With reference to the publication of exploits (or programs/codes created to take advantage of a previously identified vulnerability), article 615 of the penal code may be used as it punishes the diffusion, communication or delivery of programs whose objective or whose effects include damage to a computer or remote system or alteration of its operation. This norm, traditionally associated with the diffusion of computer viruses, may be applied to the publication of exploits that may result in alterations to the computer system whose vulnerabilities are exploited.

Despite the aforementioned norms examined, considered to be abstractly applicable to the publication of vulnerability and exploit, no ruling has yet been issued by Italian judges on a concrete case. At the same time, no intervention has been planned by our legislators in order to regulate this topic.