26 June 2023 – On behalf of the National Test Institute for Cybersecurity NTC, Walder Wyss AG has prepared a detailed expert opinion entitled "Criminal Liability of Ethical Hacking". The National Test Institute for Cybersecurity NTC investigates digital products and infrastructures that have not been tested or have been insufficiently tested - also on its own initiative. Identifying vulnerabilities without an explicit mandate and without consent raises questions about possible criminal liability. Under Swiss law, anyone who gains or attempts to gain unauthorised access to another person's system is liable to prosecution. The Swiss Penal Code also criminalises the manipulation and alteration of data.

In its expert opinion, Walder Wyss AG concludes that "ethical hacking" may be exempt from prosecution if certain general conditions are met: If criminal norms are violated in the course of vulnerability analyses, a legitimate act in a situation of necessity under Article 17 SCC can be invoked under certain circumstances. However, unauthorised access to a system is only justified if there are concrete indications that a system is affected by potential security vulnerabilities. In addition, the discovery, documentation and information about these vulnerabilities must serve the purpose of averting the risk of malicious access.

Before the results of vulnerability analyses are published in detail, the identified and documented vulnerabilities should be fully closed. If this is not the case, the level of detail of a publication should be reduced to the necessary information. This will give system users sufficient warning and the opportunity to protect themselves.

The Walder Wyss AG expert opinion was prepared by Dr Michael Isler, Oliver M. Kunz and Gina Moll.

The expert opinion is available at the following link: in German

Executive Summary: in German, English, French and Italian