Portugal’s Bold Bet: When the State Invites Hackers to Secure the Nation
New Portuguese law shields ethical hackers, setting a precedent for responsible vulnerability disclosure in government systems.
In a world where digital threats lurk behind every login, Portugal has thrown down the gauntlet: it’s telling hackers - yes, the good ones - to step forward and help defend the state. The country’s latest legal overhaul marks a radical shift, offering legal protection to ethical hackers who responsibly disclose vulnerabilities in public administration systems. Could this be the blueprint for future cybersecurity policy worldwide?
Criminal or Hero? Portugal Redraws the Line
For years, ethical hackers - also known as white hats - have walked a legal tightrope. In many countries, probing public IT systems for weaknesses, even with the best intentions, could land you in court. In Italy, for example, any unauthorized scan or penetration test is still a criminal offense, regardless of intent.
Portugal’s new law is a game changer. By amending Article 8.º-A, the government now recognizes the public interest in strengthening digital infrastructure. The law carves out a safe harbor for those who access systems solely to identify vulnerabilities and report them, provided they follow strict rules: no profit beyond standard rewards, no interference with services, and absolutely no attacks, data modification, or malware.
Researchers must act with surgical precision - only what’s necessary for diagnosis, no more. After notifying system owners and the CNCS, they have ten days to erase any sensitive information obtained. Even when acting with the system owner's consent, all findings must still be reported to the CNCS, ensuring transparency and oversight.
This is more than a local reform. Germany is considering similar measures, and the U.S. Department of Justice has softened its stance on prosecuting good-faith researchers under the Computer Fraud and Abuse Act (CFAA). The message is clear: criminalizing ethical hacking only benefits cybercriminals who operate in the shadows.
What’s at Stake?
The stakes are sky-high. With public services, critical infrastructure, and sensitive data at constant risk of attack, governments can no longer afford to alienate the very community best equipped to spot their weaknesses. By drawing clear lines and offering legal guarantees, Portugal is not just protecting hackers - it’s protecting itself.
