(Poland) Tomasz Rychlicki: Polish Law of February 4, 1994, on Copyright and Neighboring Rights (in Polish: ustawa o prawie autorskim i prawach pokrewnych) allows -- unless otherwise provided in the contract -- for acts such as reproducing the program in its entirety or in part, either permanently or provisionally, where the loading, display, running, transmission or storage of a computer program calls for such reproduction, if they are necessary for the lawful acquirer to be able to make use of the program according to its intended purpose, including the correction of errors (article 74, sec. 4(1) and article 75, sec. 1).

The following acts shall not require authorization: analysis and study of and experimentation with the operation of the computer program by the lawful acquirer in order to ascertain its underlying ideas and principles, if the person concerned performs the above acts at the time of the operations associated with the loading, display, running, transmission or storage of the computer program (article 75, sec. 2(2)).

As you can see there isn't any prohibition on publishing your discoveries in copyright law, but we also have the Polish Penal Code (in Polish: Kodeks Karny) and the highly criticized Doctrine Article 269b, which prohibits creating, acquiring, selling or making available to other persons devices, computer software, passwords, codes or other data which allows access to information stored in computer system or network.

Article 269b of the Polish Penal Code penalizes an act of a person who produces, acquires, sells or makes accessible for other persons devices or computer programs and also computer's passwords, access codes or other data, that enable access to information stored in computer system or telecommunication network. Such person can be sentenced up to 3 years of imprisonment. Hacking is not defined in the Polish Penal Code.

However article 269b contains undefined term such as "other data" which is contradictory to one of the main criminal law principles -- "in dubio pro reo" -- all doubts should be decided in a favor of defendant.

What is more important, Article 269b of the PPC is an example of an incorrect implementation of the Council of Europe Convention on Cybercrime (article 6 sec. 2) which clearly allows production, sale, procurement for use, import, distribution or otherwise making available or possession of devices computer programs computer passwords, access codes, or similar data that are use not for the purpose of committing an offense established by the Convention. For example: for the authorized testing or protection of a computer system.

There is no definition of "authorized testing" but it may be presumed that every legitimate user of computer program is entitled to such actions. In European Union countries this presumption is supported by provision included in the Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs.

So, as you can see, you can publish any kind of vulnerability in Poland and Europe (and in any country which is a party of CoE CoC). There is also another very important issue with the national legislation as regards to the Council of Europe Convention on Cybercrime, which 21 countries signed including the U.S.A.

When the national legislation which implements the CoC is improperly implemented and a person is charged based on those national regulation's provisions he/she has always the right to challenge it before the European Court of Human Rights. The court will always follow the Convention's text.