The Researcher’s Dilemma
Algeria has a growing community of skilled cybersecurity researchers and ethical hackers. Many are self-taught, honing their skills through CTF (Capture The Flag) competitions, HackerOne and Bugcrowd platforms, and independent study. Algerian researchers have reported vulnerabilities in international platforms and earned recognition in the global security research community. But when it comes to reporting vulnerabilities in Algerian systems — government websites, banking portals, telecom infrastructure, university networks — these same researchers face a stark legal uncertainty that discourages the very activity that would improve Algeria’s cybersecurity.
The problem is simple and serious: Algeria has no safe harbor provision for good-faith security research. There is no vulnerability disclosure policy (VDP) published by any major Algerian government agency. There is no coordinated disclosure framework. And the primary cybercrime legislation — Law 09-04 of 5 August 2009, on rules specific to the prevention and fight against information and communication technology offenses — contains provisions broad enough to criminalize the act of discovering and reporting a vulnerability, even when done with purely constructive intent.
This creates a chilling effect. Researchers who discover that a government ministry’s website is leaking citizen data, or that a bank’s API exposes customer account information, face a binary choice: report the vulnerability and risk prosecution, or stay silent and let the vulnerability persist until a malicious actor exploits it. Most choose silence. The result is that Algeria’s most security-aware citizens are legally disincentivized from helping secure the country’s digital infrastructure.
Algeria’s recent cybersecurity governance moves — including the National Cybersecurity Strategy 2025-2029 (Presidential Decree No. 25-321, December 2025) and the establishment of dedicated cybersecurity units in public institutions (Presidential Decree No. 26-07, January 2026) — represent institutional progress. But neither decree addresses responsible disclosure, vulnerability reporting, or legal protections for good-faith security researchers. The gap persists.
Law 09-04: The Legal Minefield
Law 09-04 was enacted on 5 August 2009 to establish Algeria’s cybercrime legal framework. It comprises 19 articles across six chapters, criminalizing unauthorized access to information systems (Article 394bis of the Penal Code, as amended), unauthorized data interception, and interference with system functioning. The penalties for the basic offense of unauthorized access are imprisonment of three months to one year and fines of 50,000 to 100,000 DZD. Penalties escalate significantly for aggravated forms: if data is modified, deleted, or the system’s operation is sabotaged, sentences can reach two to three years of imprisonment with fines up to several million DZD. Penalties are doubled when the targeted systems belong to national defense or public institutions.
The critical issue for security researchers is the definition of “unauthorized access.” In many legal systems, researchers argue that probing a system to discover vulnerabilities — without modifying data, disrupting services, or exfiltrating information — should not constitute a criminal offense, especially when the intent is to report the findings to the system owner. But Law 09-04 does not distinguish between malicious unauthorized access and good-faith security research. There is no “intent” exception, no “public interest” defense, and no recognition of the concept of responsible disclosure. The law also obligates service providers to cooperate with judicial police and authorities, further complicating the position of researchers who interact with system owners.
Internationally, this gap has been addressed through various mechanisms. The Netherlands pioneered coordinated vulnerability disclosure (CVD) guidelines in 2013, when the Dutch National Cyber Security Centre (NCSC) published a responsible disclosure guideline and the Public Prosecution Service issued a policy letter outlining how prosecutors should handle ethical hacking cases. The policy considers factors such as whether the researcher served an important public interest, acted proportionately, and could not have achieved the same result through less intrusive means — though it does not guarantee immunity from prosecution. The US Department of Justice revised its CFAA (Computer Fraud and Abuse Act) charging policy in May 2022, explicitly stating that good-faith security research — defined as accessing a computer solely for testing, investigating, or correcting a security flaw in a manner designed to avoid harm — should not be charged. The EU’s NIS2 Directive (Directive 2022/2555, adopted December 2022) requires each member state to designate a CSIRT as coordinator for vulnerability disclosure and establish national CVD policies, with a deadline of October 2024 for implementation. Algeria has no equivalent guidance at any level — legislative, prosecutorial, or regulatory.
Advertisement
Cases and Consequences: When Researchers Speak Up
While Algeria does not have widely publicized cases of researchers being prosecuted specifically for responsible disclosure (unlike, for example, the 2017 case of an 18-year-old Hungarian researcher who was arrested after reporting a vulnerability in Budapest Transport Authority’s e-ticketing website, sparking massive public backlash), the absence of prosecutions does not mean the absence of risk. Algerian researchers in cybersecurity forums and social media describe encounters ranging from indifference to implicit threats when attempting to report vulnerabilities to Algerian organizations.
The typical scenario: a researcher discovers a vulnerability (SQL injection, exposed database, authentication bypass) on an Algerian government or corporate website. They attempt to contact the organization — often struggling to find any security contact information (no security.txt file, no CERT coordination, no responsible disclosure email). When they reach someone, responses range from “who are you and how did you access our system?” to complete non-response. Some researchers report being warned by organizations that reporting a vulnerability could be interpreted as an admission of unauthorized access.
The underground alternative is worse. Vulnerabilities discovered in Algerian systems do circulate in private Telegram groups and dark web forums, where they are shared or sold to malicious actors with no intention of responsible disclosure. The escalation of cross-border cyber conflicts in the North Africa region — including the Algeria-Morocco cyber incidents of 2025, which saw millions of citizens’ records exposed on underground forums — demonstrates that unpatched vulnerabilities in regional institutions carry real consequences when exploited by malicious actors rather than reported by responsible researchers. A functional responsible disclosure ecosystem would channel at least some of these discoveries toward remediation rather than exploitation.
Building a Disclosure Framework: What Algeria Needs
A viable responsible disclosure framework for Algeria requires action at three levels: legal, institutional, and organizational. At the legal level, an amendment to Law 09-04 or a new ministerial directive should establish a safe harbor for security researchers who: (1) act in good faith to identify vulnerabilities, (2) do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability, (3) report findings to the system owner or a designated coordination body within a reasonable timeframe, and (4) do not publicly disclose the vulnerability before the owner has had reasonable time to remediate. This does not require decriminalizing hacking — it requires distinguishing between research and attack.
At the institutional level, DZ-CERT (Algeria’s Computer Emergency Response Team, hosted by CERIST) or a designated coordination body should establish a coordinated vulnerability disclosure portal where researchers can submit findings confidentially. This body would triage reports, verify vulnerabilities, notify affected organizations, track remediation, and provide legal cover for researchers who follow the process. Algeria’s existing cybersecurity institutions — including ASSI (the Information Systems Security Agency under the Ministry of National Defense) and the newly established cybersecurity units in public institutions — could integrate a CVD mandate into their operational frameworks. The EU’s ENISA has published detailed guidelines for establishing national CVD frameworks that Algeria could adapt, and the NIS2 Directive’s Article 12 provides a proven template for CSIRT-coordinated disclosure.
At the organizational level, Algerian entities operating critical digital services — banks, telecoms, government portals, payment processors — should publish vulnerability disclosure policies (VDPs) on their websites. A VDP is simply a page stating: “We welcome security reports. Here is how to contact us. Here is what we consider in scope. Here is our commitment not to pursue legal action against good-faith researchers.” This costs nothing to implement and immediately opens a channel for security improvements. For organizations with budget, formal bug bounty programs (paying researchers for verified vulnerability reports) create a market-based incentive for security improvement. Algeria Telecom, Djezzy, Ooredoo, and SATIM — Algeria’s national interbank payment switch that connects 19 member institutions including 18 banks and Algeria Post — would all benefit from pilot programs that tap into the existing Algerian security research talent pool.
Advertisement
🧭 Decision Radar
| Dimension | Assessment |
|---|---|
| Relevance for Algeria | High — Algeria has security talent but no legal framework enabling them to contribute to national cybersecurity through responsible disclosure |
| Action Timeline | Immediate for organizational VDPs; 6-12 months for regulatory guidance; 12-24 months for legislative safe harbor |
| Key Stakeholders | Ministry of Justice, Ministry of Post and Telecommunications, CERIST/DZ-CERT, ANPDP, banking sector (ABEF), telecom operators, security research community |
| Decision Type | Strategic |
| Priority Level | High |
Quick Take: Algeria criminalizes the act of discovering vulnerabilities without distinguishing between attackers and defenders. A legal safe harbor, a national vulnerability coordination portal, and published disclosure policies by major organizations would transform Algeria’s cybersecurity posture by empowering the researchers who want to help.
Sources & Further Reading
- Algeria Law 09-04 on Cybercrime Prevention — WIPO Lex
- Algeria Law 09-04 — Digital Watch Observatory
- Netherlands Responsible Disclosure Policy — Government.nl
- US DOJ Policy on Charging CFAA Cases (2022) — Department of Justice
- EU NIS2 Directive Article 12 — Coordinated Vulnerability Disclosure
- ENISA Coordinated Vulnerability Disclosure Policies in the EU
- DZ-CERT Algerian Computer Emergency Response Team — CERIST
- Algeria Cybersecurity Framework 2025-2029 — TechAfrica News
- Data Protection and Cybersecurity Laws in Algeria — CMS Expert Guide
- HackerOne Vulnerability Disclosure Best Practices
- Hungarian Teen Arrested for Reporting Transport Authority Bug — Ars Technica / Quartz
Advertisement