Security Researcher

A security researcher is any individual or organisation that investigates the security properties of products, systems, or software — probing for vulnerabilities, misconfigurations, or design flaws. Security researchers range from professional penetration testers employed by security firms, to academic researchers conducting independent investigations, to hobbyist hackers who analyse products in their own time. What distinguishes a security researcher from an attacker is intent: researchers seek to identify vulnerabilities in order to report them and enable fixes, not to exploit them for malicious gain. The security research community is a vital force in improving product security and has historically discovered the majority of significant software vulnerabilities.

The CRA acknowledges the critical role that security researchers play in the vulnerability discovery ecosystem. Recital 63 states that manufacturers should facilitate the ability of security researchers and others to report vulnerabilities. Article 13(6) requires manufacturers to establish a CVD policy that enables researchers — and users — to submit vulnerability reports through accessible channels. Critically, the CRA does not require researchers to be professionals, to have a commercial relationship with the manufacturer, or to obtain prior permission before investigating a product they lawfully possess. The CVD policy must be open and accessible to any good-faith reporter.

One of the most important features of a compliant CVD policy is the safe harbour clause — an explicit statement by the manufacturer that it will not pursue legal action against researchers who discover and report vulnerabilities in good faith, within the scope of the policy, and without causing unnecessary harm. Without safe harbour, researchers face legal risk under computer misuse laws and may choose not to report — or to disclose publicly without giving the manufacturer a remediation opportunity. The CRA's recognition of CVD as mandatory implicitly requires that the CVD process is accessible: a process that exposes reporters to legal risk is not genuinely accessible. Manufacturers should seek legal advice to draft a robust safe harbour clause.

The most counter-productive mistake a manufacturer can make is pursuing legal action against a researcher who reported a vulnerability in good faith. This destroys the manufacturer's reputation with the security research community, ensures that future vulnerabilities in their products go unreported, and constitutes a failure of the CVD obligation to maintain an accessible reporting channel. Other common failures include: not acknowledging reports within a reasonable timeframe (5 business days is standard); not updating reporters on remediation progress; and failing to credit researchers in security advisories when requested — a standard professional courtesy that motivates future responsible disclosure.