Portugal has updated its cybercrime law to create a legal safe harbor for good-faith security researchers. A new provision in Article 8.o-A, titled "Acts not punishable due to public interest in cybersecurity," allows certain hacking activities to go unpunished if they meet specific criteria. This change aims to protect researchers who work to identify vulnerabilities and enhance cybersecurity. To qualify for this exemption, researchers must focus on vulnerabilities not created by them and must report findings to system owners and the National Center for Cybersecurity (CNCS). They cannot seek any financial gain beyond standard pay and must ensure their research does not disrupt services or harm data integrity. Activities like denial-of-service attacks, phishing, and data theft are explicitly prohibited. Moreover, any data gathered during research must stay confidential and be deleted within ten days after the vulnerability is addressed. The move aligns with similar legislation elsewhere. In November 2024, Germany introduced a draft law providing similar protections for security researchers. The U.S. Department of Justice also revised its policies in May 2022 to include exemptions for good-faith research under the Computer Fraud and Abuse Act. These legal changes aim to foster an environment where security researchers can safely identify and report vulnerabilities without fear of prosecution.