This is actually a big problem for Germany, because the cited StGB 202 ff. penal code paragraphs have made security research in any private sector shape or form impossible, or at least highly unattractive.
Now a gap of almost 20 years has opened, where basically no young engineers have been interested in the field, let alone trained. The biggest companies with the deepest pockets have been mopping up anyone they could find. Top talent went abroad. And so the majority of German businesses which are SMB get hacked more every day. Nobody audits anything. Unfortunately, anything networked is a security risk these days.
I caution that it is highly naive to bet on this getting thrown out at higher court levels. Defendant is looking at YEARS of wasted brain cycles, trying to go from AG to LG to OLG to BGH. My guess is a 100k EUR of fees also wasted. And for what. Because a company couldn't properly secure their data, you told them that, and as a "thank you", they sued you in court?
My advice: If there is no clear bug bounty program, or it is not your own company, or you weren't tasked in writing and paid by the very company to find any holes, don't make it your problem. Suppress any good samaritan helper complex you might have. Wipe all files and talk to nobody. Especially not in your place of employment. Once a lawsuit is involved, anyone questioned will say "Oh, Mike from DevOps figured that one out from the hexdump". You will regret it.
Some of the older German infosec dogs are aggravated by this so much, that they refuse to help any governmental organization if there is an incident. Lernen durch Schmerz.
Now a gap of almost 20 years has opened, where basically no young engineers have been interested in the field, let alone trained. The biggest companies with the deepest pockets have been mopping up anyone they could find. Top talent went abroad. And so the majority of German businesses which are SMB get hacked more every day. Nobody audits anything. Unfortunately, anything networked is a security risk these days.
I caution that it is highly naive to bet on this getting thrown out at higher court levels. Defendant is looking at YEARS of wasted brain cycles, trying to go from AG to LG to OLG to BGH. My guess is a 100k EUR of fees also wasted. And for what. Because a company couldn't properly secure their data, you told them that, and as a "thank you", they sued you in court?
My advice: If there is no clear bug bounty program, or it is not your own company, or you weren't tasked in writing and paid by the very company to find any holes, don't make it your problem. Suppress any good samaritan helper complex you might have. Wipe all files and talk to nobody. Especially not in your place of employment. Once a lawsuit is involved, anyone questioned will say "Oh, Mike from DevOps figured that one out from the hexdump". You will regret it.
Some of the older German infosec dogs are aggravated by this so much, that they refuse to help any governmental organization if there is an incident. Lernen durch Schmerz.