Modern societies depend on digital systems in profound ways: hospitals, public authorities, energy infrastructure. Yet IT systems are also so complex that they will never be entirely free of flaws.

The question is therefore not whether vulnerabilities exist in any given system, but who finds them first and what happens next.

What Ethical Hackers Do — and Why We Need Them

Security vulnerabilities are discovered in digital systems every day. Sometimes deliberately, often by accident. What happens next depends entirely on who makes the discovery.

When criminals find them, they can be used for espionage, extortion, or sabotage. When the same vulnerability is found by someone acting in good faith, it can be reported and fixed before any harm is done. This is the work of ethical hackers: they identify vulnerabilities, report them confidentially to operators or manufacturers, and hold off on any public disclosure until the issue has been resolved. This practice is known as Responsible Disclosure.

One principle is always central: ethical hackers intervene in systems as minimally as possible, avoid accessing personal data, and have no interest in causing harm or gaining any advantage. Their goal is to surface vulnerabilities so they can be fixed — work they often do voluntarily and without pay.

In an increasingly digitalised society, this work is growing in importance. Healthcare, energy supply, and public administration all depend on complex software and therefore on people who are willing to bring its weaknesses responsibly to light.

Security Vulnerabilities as a Geopolitical Threat

The stakes go well beyond individual systems. States around the world are investing heavily in offensive cyber capabilities, actively hunting for previously unknown vulnerabilities to conduct espionage or sabotage. Estimates suggest China alone employs tens of thousands of specialists within state-backed hacking structures.

The international market for so-called zero-day vulnerabilities amplifies this dynamic. Previously unknown security flaws can command prices in the millions — paid not only by companies, but by state actors as well.

The longer a vulnerability goes undetected, the greater the risk that it will be exploited for espionage or sabotage. Responsible Disclosure shrinks this attack surface and makes everyone safer.

Responsible Disclosure as a Pillar of Modern IT Security

Many companies, authorities, and organisations have already established vulnerability disclosure programmes — dedicated channels through which ethical hackers can report security flaws before they are exploited. Some go further, offering symbolic payments through bug bounty programmes to researchers who bring vulnerabilities to their attention.

The issue is also gaining regulatory weight. The EU's NIS Directive and its successor, NIS-2, require operators of critical infrastructure to systematically address security vulnerabilities and put appropriate reporting and response processes in place.

In Austria, Doing the Right Thing Is a Legal Risk

Here lies the problem: in Austria, responsible security work can expose you to criminal liability.

The central provision is §118a of the Criminal Code ("Unlawful Access to a Computer System"). Its wording is broad enough to apply even when ethical hackers are simply examining systems and probing for vulnerabilities.

Criminal exposure is not the only risk. Administrative penalties are possible too — §62(1)(1) of the Data Protection Act provides for fines of up to €50,000.

The result: vulnerabilities go unreported, even when operators have every reason to want to know about them. In Austria, it is currently legally riskier to do the right thing than to stay silent.

We know this from our own experience. During the COVID pandemic, epicenter.works staff and journalists from Der Standard evaluated the Epidemiological Reporting System (EMS) and uncovered a serious vulnerability that could have exposed thousands of sensitive health records. We followed Responsible Disclosure throughout — yet the public prosecutor's office opened criminal proceedings against us (not against Der Standard) under §118a. Two years later, the case was dropped. After we went public, the responsible minister was compelled to apologise. The burden, the costs, and the chilling effect have stayed.

Other Countries Show the Way

Other European countries have already built frameworks that explicitly protect this kind of work.

The Netherlands operates a well-established Coordinated Vulnerability Disclosure system, in which ethical hackers can report security vulnerabilities without automatically facing prosecution — provided they follow clear, defined rules.

Estonia has gone even further, actively embedding the IT community in the defence of its digital infrastructure. This approach emerged in the wake of the massive cyberattacks on Estonian authorities, media, and businesses in 2007 — widely regarded as one of the first large-scale state-backed cyberattacks. Estonia responded by building structures that allow IT community experts to contribute directly to the security of its highly digitalised public infrastructure.

Austria Is Moving — But Not Far Enough

The call for legal certainty around ethical hacking is not new. epicenter.works has been advocating for the legal protection of responsible vulnerability disclosure for years.

In January 2026, the Austrian National Council — supported by ÖVP, SPÖ, NEOS, and the Greens — passed a motion calling on the federal government to evaluate how ethical hacking can be better protected by law. A first step, but not yet a reform.

We continue to push for a fundamental reform of the legal framework for Responsible Disclosure in Austria. To make that reform workable, we need input from the community. We are also always ready to help address security vulnerabilities or other problems — as we have done many times before.