1: https://de.wikipedia.org/wiki/Vorbereiten_des_Aussp%C3%A4hen... [de]
I'm not sure white-hat hacking is broadly compatible with German culture. Keep in mind that going bankrupt in Germany permanently closes off lots of avenues, from future lending to whether you can be in senior management at a public company.
They really couldn't. BVerfG (Germany's constitutional court) has clearly said that dual use tools have a presumption of not being tools to break the law. It's been very clear that mens rea matters. And that a narrow reading of the law is the only constitutional reading.
The problem here is taking "word for word" as "by dictionary meaning", which is never how laws are read.
It's still a problematic law (together with §202a/b) because it doesn't clearly carve out space for grey-hat activities (white-hat attacks with authorization really don't fall under it even with creative reading).
On the upside, Germany is considering fixing that. On the downside, it moves with the speed of classic German bureaucracy and is being "discussed" since 2024.