The Risks of Reporting Software Vulnerabilities and Data Breaches

A Growing Concern for Researchers and Whistleblowers

While the disclosure of software vulnerabilities and data breaches has become more accepted over the past three decades, researchers and whistleblowers continue to risk lawsuits and criminal charges depending on the country in which they live.

A Recent Example: The Arrest of Turkish Journalist İbrahim Haskoloğlu

In April 2022, police in Istanbul arrested independent Turkish journalist İbrahim Haskoloğlu after he revealed details of a breach of government data in Turkey. The country’s ruling party has since adopted the Convention Against Cybercrime, which makes it a crime to "access … an information or communications technology (ICT) system without right" or to intercept data or communications. Digital-rights groups worry that the treaty will lead to more laws that penalize legitimate security research.

A Growing Trend: Tougher Regulations

While Turkey appears to be the first country since August to pass a more strict cybercrime statue, tougher regulations seem increasingly likely, according to Childs. "Overall, we are currently in a climate where governments favor businesses over individual researchers," he says. "It would not surprise me to see similar measures in other countries."