
Ask HN: Does GDPR force companies to disclosure security vulnerabilities? - vrcabal
If security researchers find a vulnerability involving direct access to PII and report it to the company affected, is the company required to disclose it to their customers?<p>Article 34[1] says it is required to so in case of a data breach.<p>Can an incident like this be seen as a data breach?<p>[1] https:&#x2F;&#x2F;gdpr-info.eu&#x2F;art-34-gdpr&#x2F;
======
bausshf
Finding a security vulnerability and reporting it does not count as a data
breach, because the data has not been misplaced, misused and/or other similar
activities.

However the vulnerability itself could be used to cause a data breach, but in
case of someone reporting it then it's not a data breach, considering they
didn't abuse the data through the vulnerability.

It's no different than your QA testing an application and noticing that there
is a data leak during test etc.

------
MrVulcan
I would say that one can only speak of a breach if data from this has reached
people that shouldn't have it.

