The Centre for Cyber Security Belgium has just enacted nation-wide vulnerability disclosure policies and a reporting framework, including several obligations for security researchers such as:
a) You must limit yourself strictly to the facts necessary to report a vulnerability – you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability
b) You must act without fraudulent intent or design to harm
c) As soon as possible after the discovery of the potential vulnerability, you must inform the organization responsible for the system, process or control of the vulnerability
You can read the announcement here, and the policy here.
Chloe Messdaghi, Managing Director at Impactive Partners had this comment:
“Belgium is offering a good example of where every country needs to be with their vulnerability disclosure policies. Unfortunately, the US is still piecing together our VDP legal framework, although in 2022, the DOJ revised its policies under the Computer Fraud and Abuse Act (CFAA) to help protect “good-faith” security research from being prosecuted, and the US Army actively encourages researchers to participate in its VDP.
“With cyber threats growing exponentially over the last several years, it’s past time to actually require that certain types and sizes of organizations across the US – and especially including all Federal agencies and NGOs – have robust protective, active vulnerability disclosure policies. VDPs have been viewed by security-aware organizations as must-have for many years. The thing to remember is that EVERYONE in both the public and private sector is now a target, and virtually everyone has exploitable, exposed assets they need to find and fix before a threat actor finds them – this is why we need VDPs.
“Remember back in 2021 when the UN disclosed a data breach exposing over 100K UNEP records? We applauded Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted. This was a great example of how vulnerability disclosure policies work, and underscored the value of working closely with independent researchers, i.e., hackers.”
Christopher Vaughan, VP, Technical Account Management at Tanium follows up with this comment:
“This is a welcomed development and having such laws in place will make Belgium a more secure country as a whole. Further, it will help position Belgium as go-to destination for security research with a corresponding benefit of cultivating a greater number of homegrown talent.
“We can also expect to see some ambiguity around what’s considered legal and not. There isn’t a huge sample size of where policies such as this have been enacted on a national level, so it will be interesting to see a program of this scale in action.
I really like the fact that Belgium is doing this and I hope that other countries will do something similar as actions like this will make us all safer.
Belgium Introduces National Legal Vulnerability Disclosure Framework & Policies
Posted in Commentary with tags Belgium, Legal on February 17, 2023 by itnerdThe Centre for Cyber Security Belgium has just enacted nation-wide vulnerability disclosure policies and a reporting framework, including several obligations for security researchers such as:
a) You must limit yourself strictly to the facts necessary to report a vulnerability – you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability
b) You must act without fraudulent intent or design to harm
c) As soon as possible after the discovery of the potential vulnerability, you must inform the organization responsible for the system, process or control of the vulnerability
You can read the announcement here, and the policy here.
Chloe Messdaghi, Managing Director at Impactive Partners had this comment:
“Belgium is offering a good example of where every country needs to be with their vulnerability disclosure policies. Unfortunately, the US is still piecing together our VDP legal framework, although in 2022, the DOJ revised its policies under the Computer Fraud and Abuse Act (CFAA) to help protect “good-faith” security research from being prosecuted, and the US Army actively encourages researchers to participate in its VDP.
“With cyber threats growing exponentially over the last several years, it’s past time to actually require that certain types and sizes of organizations across the US – and especially including all Federal agencies and NGOs – have robust protective, active vulnerability disclosure policies. VDPs have been viewed by security-aware organizations as must-have for many years. The thing to remember is that EVERYONE in both the public and private sector is now a target, and virtually everyone has exploitable, exposed assets they need to find and fix before a threat actor finds them – this is why we need VDPs.
“Remember back in 2021 when the UN disclosed a data breach exposing over 100K UNEP records? We applauded Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted. This was a great example of how vulnerability disclosure policies work, and underscored the value of working closely with independent researchers, i.e., hackers.”
Christopher Vaughan, VP, Technical Account Management at Tanium follows up with this comment:
“This is a welcomed development and having such laws in place will make Belgium a more secure country as a whole. Further, it will help position Belgium as go-to destination for security research with a corresponding benefit of cultivating a greater number of homegrown talent.
“We can also expect to see some ambiguity around what’s considered legal and not. There isn’t a huge sample size of where policies such as this have been enacted on a national level, so it will be interesting to see a program of this scale in action.
I really like the fact that Belgium is doing this and I hope that other countries will do something similar as actions like this will make us all safer.
Leave a comment »