zum Inhalt springen

A legal opinion on criminal liability for ethical hacking

The law firm of Walder Wyss was commissioned by the National Text Institute for Cybersecurity NTC to draft a detailed legal opinion entitled “Criminal Liability for Ethical Hacking”. One of the conclusions reached is that ethical hacking is not subject to prosecution if it is carried out in compliance with certain framework conditions. The publication of this legal opinion constitutes a contribution by the NTC toward the Confederation’s current national cyberstrategy, which seeks to institutionalize ethical hacking.



The National Test Institute for Cybersecurity NTC tests what is otherwise not tested. It takes the initiative to examine digital products and infrastructures that are not, or insufficiently, tested. Unless explicitly commissioned to do so and consent has been given, looking for vulnerabilities becomes a crime punishable under Swiss law as soon as the access controls of a third-party system have been overcome or such an attempt is made. Additionally, the Swiss Criminal Code (SCC) makes the manipulation and alteration of data a punishable offense.

Legitimate act in a situation of necessity

Under certain circumstances and in accordance with Art. 17 SCC, a legitimate act in a situation of necessity can be invoked if criminal norms are violated during vulnerability analyses. The penetration of a system is only justified if there are specific indications that a system is affected by potential security vulnerabilities. Additionally, the detection of, documentation of and communications regarding these vulnerabilities must serve the purpose of preventing malicious access. 

Publication of the results of vulnerability analyses

The vulnerabilities identified and documented must have been fully rectified prior to the publication of any details regarding these vulnerabilities. If that is not the case, the amount of detail disclosed in a publication should be reduced to the information absolutely necessary so that the users of the system can be adequately warned and given an opportunity to protect themselves.

Media Releases for Download:

Media Release English

Media Release German

Media Release French

Media Release Italian