On German Law working against Disclosure [Links in German]

Goodbye to Disclosure of Vulnerabilities? #

This is a short summarization of the events, not the full story, therefore i linked the relevant articles.

In 2021, Mark Steier a security researcher found a vulnerability in Modern Solution's software. This consisted of the fact that the credentials of the live database was hardcoded in the source code. This Breach exposed 700.000 customers Datasets, consisting of several large german Companies Data.
Link to related Source from Mark Steier [in German]

This Vulnerability was disclosed to the Distributor of the Software. But instead of expressing gratitude - Steier was sued.
Link to related Source [in German]

After some back and forth, Steier is now facing a lawsuit after the public prosecutor's office in Cologne ruled that decompiling the source code "requires a deep understanding of programming languages and software development". Therefore he is no threated under the so called "Hackerparagraph" (ยง202 StGb) for "Spying out data".
Link to related News Article from Heise [in German]

Consequences #

This case as a whole, and the prosecution in particular, sets a dangerous precedent. Based on the decision, future responsible disclosure attempts could decrease significantly. Faced with being sued for a good deed, it is likely that those who find security vulnerabilities will think twice about disclosing them to the originator.