Possible Regulatory Models of Ethical Hacktivism in Spanish Legislation

Abstract

Ethical hacking shares with illicit hacking the core conduct of accessing an information system without authorization by bypassing established security measures but differs solely in its preventive purpose. This raises the question of whether the subjective element is sufficient to exclude criminal liability in the absence of prior authorization from the system owner or the data subjects. While considering personal privacy as the protected legal interest would preclude the legalization of ethical hacktivism, understanding it as the security of information systems would allow exceptions when the conduct contributes to system protection. This paper examines the compatibility of bug bounty and Coordinated Vulnerability Disclosure (CVD) models with the Spanish criminal framework, emphasizing the need to adapt current legislation, particularly Article 197 bis of the Spanish Criminal Code. Two regulatory approaches are proposed: requiring specific intent to obtain data or establishing a criminal exemption clause for those who detect and report vulnerabilities in accordance with recognized protocols. Adopting a CVD policy would enhance system resilience, provided that organizations are capable of appropriately managing vulnerability reports.