Hunting for vulnerabilities: call for European protection of security researchers

Abstract The paper explores the role and legal protection of vulnerability reporters, namely cybersecurity researchers within the evolving EU cybersecurity framework. It examines who these researchers are, the value of their work, and the growing legal risks they face across Europe, as demonstrated by high-profile cases in the Netherlands, Malta, and Germany. Drawing on international human rights frameworks including EU Charter of Fundamental Rights, the paper argues that security research should be protected under the right to science and the freedom to conduct research. The paper advocates for defining ‘good-faith security research’ as a legally recognized safe harbour in EU law. A comparative analysis of selected international and EU legal frameworks, such as the UN Convention Against Cybercrime, Budapest Convention, EU Directive on attacks against information systems, the Cybersecurity Act, the NIS2 Directive, the Cyber Resilience Act, and national policies of a selected group of EU Member States, including the Netherlands, Belgium, France, Germany, Italy, Spain, Poland, Czechia, Slovakia, Malta along with the UK and the USA, reveals fragmented and insufficient protection. To address this, the paper calls for a coherent EU-wide framework based on two interlinked pillars: (i) mandatory coordinated vulnerability disclosure (CVD) procedures, and (ii) substantive legal exemptions for ethical security research. While the recent NIS2 Commission Implementing Regulation (EU) 2024/2690 for entities from digital infrastructure is a step forward, it lacks explicit protection for researchers. Therefore, the paper concludes with a call for integrating legal and technical safe harbours into EU cybersecurity legislation to ensure that vulnerability disclosure policies are not only adopted by entities but are also legally accessible and safe for the researchers, who rely on them.