15 February 2023 at 16:49 UTC
Updated: 15 February 2023 at 17:30 UTC
New legal protections for security researchers could be the strongest of any EU country
Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, according to the country’s cybersecurity agency.
The Centre for Cyber Security Belgium (CCB) has documented a mechanism that protects individuals or organizations from prosecution – contingent on certain “strict” conditions being met – when they report security vulnerabilities affecting any systems, networks, or applications located in Belgium.
The framework applies regardless of whether vulnerable technologies are owned by private or public sector organizations.
Terms and conditions
As set out in a vulnerability disclosure policy (VDP) on the website of the CCB – Belgium’s computer emergency response team (CSIRT) – bug reporters must adhere to five strict conditions to enjoy legal protection for their activities:
- Submit a written vulnerability report to the CCB as soon as possible in the prescribed format (and before any criminal proceedings commence)
- Notify the owner of the vulnerable technology as soon as possible and no later than the CCB
- Act in good faith without malicious or fraudulent intent
- Verify the security flaw’s existence in a necessary, proportionate manner
- Do not publicly disclose information about the vulnerability without the CCB’s consent
RELATED HackerOne encourages customers to adopt standard policy to protect hackers from legal problems
Hackers need not notify the CCB where an organization already has a VDP, but may choose to do so if the vulnerability affects other organizations without VDPs, or “if difficulties arise” with disclosure and remediation.
In common with most VDPs and bug bounty programs, offensive techniques such as phishing, social engineering, and brute force attacks “may be considered as disproportionate and/or unnecessary actions”.
Elsewhere in the EU
A 2022 EU Agency for Cybersecurity (ENISA) report on national coordinated vulnerability disclosure (CVD) policies within the bloc revealed that France, Lithuania, and the Netherlands were also “undertaking CVD policy work and have implemented policy requirements”.
However, according to Valéry Vander Geeten, legal officer at the CCB, Belgium’s policy is the most comprehensive yet.
He told The Daily Swig that the Netherlands indicates “that the Public prosecutor Office will not prosecute ethical hackers”, France and Slovakia fall short of “full legal protection”, and that Lithuania’s legal safe harbor is “limited to critical infrastructure”.
Numerous other EU member states are developing, or planning to develop, similar nationwide protections for hackers.
Far from the norm
While Telenet, Brussels Airlines, and Port of Antwerp are among Belgian companies with VDPs, it is far from the norm to have one. Even among the Fortune 500, less than 20% apparently had VDPs as of 2021 (albeit this had risen from 9% in 2019).
“I do hope that legislation like this will have the ‘GDPR’-effect that will effectively force companies to adopt this,” Inti De Ceukelaire, head of hackers at Belgium-based bug bounty platform Intigriti, told The Daily Swig.
“Paradoxically, most security researchers are now delivering value and improvements to companies that want to listen and are already on board with the latest security trends, such as a VDP.
“Applying that to companies that are completely new to this will have interesting results, I believe. In the Netherlands, where they have similar legislation, a hacker that goes by the name Victor Gevers (0xDUDE) on Twitter has already reported 5,000 vulnerabilities under this.”
DON’T MISS IoT vendors faulted for slow progress in setting up vulnerability disclosure programs