Belgium institutes nationwide vulnerability disclosure policy

New vulnerability reporting frameworks are now in place in Belgium, making it the fourth European country to give cybersecurity researchers a way to legally report software and hardware bugs to organizations and the government.

The Netherlands, France and Lithuania all have similar policies in place. Last year, the United States updated its own rules around vulnerability reporting in an effort to protect researchers who look for bugs with no plan to exploit them maliciously.

Belgium’s rules provide strict processes for what a researcher can do to “demonstrate the existence of the vulnerability.” The discoverer can’t demand a reward or payment unless it was agreed upon beforehand, as in a bug bounty program.

“One of the new provisions is that a discovered vulnerability must be reported as soon as possible to the responsible owner of the IT system and reported to the Centre for Cybersecurity Belgium (CCB) according to the procedure provided for that purpose,” the Centre for Cyber Security Belgium said Wednesday.

“Finally, under no circumstances may one disclose the discovered vulnerability without the permission of the CCB.”

The rules take pains to clearly state that they are meant for “people with good intentions” and “no intention to cause harm,” repeatedly making clear that it is not a license for anyone to hack organizations or businesses.

Officials noted that researchers have previously been afraid to report vulnerabilities because they worried about being sued.

The new new guidelines are strict. Researchers must report vulnerabilities to the relevant company or institution as soon as possible if it has a coordinated vulnerability disclosure policy. If problems arise or no response is received, researchers can send their reports to the CCB.

The CCB said the reports must be strictly limited to the facts necessary and cannot be publicly disclosed without first running them by the CCB.

The rules add that any vulnerability discovered in a professional context and reported is not a breach of professional secrecy and the CCB will anonymize the submission. But researchers should be aware that the Belgian law does not protect them in other countries.

According to the E.U.’s cybersecurity center ENISA, Czechia, Denmark, Germany, Greece, Spain, Italy, Latvia, Luxembourg, Hungary, Austria, Portugal, Slovenia, Slovakia and Finland are in various stages of implementing their own rules around vulnerability reporting.

A ‘must-have’

Several cybersecurity experts said the program was a positive development for ethical or “white hat” hackers who are eager to help protect organizations but wary of the potential consequences that come with not only reporting bugs but searching for them in the first place.

Chloe Messdaghi, a cybersecurity expert and managing partner of Impactive Consulting, said Belgium’s framework was something other countries need to adopt, explaining that the U.S. is still struggling with the legalities around the concept of vulnerability reporting.

Messdaghi noted that the U.S. Army actively encourages researchers to participate in its vulnerability disclosure program. The U.S. military services in general frequently hold bug bounty programs for researchers.

As an example of where a disclosure policy worked well, Messdaghi referenced a 2021 disclosure by ethical hacking group Sakura Samurai that involved a United Nations breach of more than 100,000 United Nations Environment Programme records.

Part of why that effort was successful is because of the U.N.’s transparent policy. Messdaghi said the researchers knew they would be recognized and not prosecuted for their discoveries.

“Vulnerability disclosure programs have been viewed by security-aware organizations as must-have for many years,” Messdaghi said. “The thing to remember is that EVERYONE in both the public and private sector is now a target, and virtually everyone has exploitable, exposed assets they need to find and fix before a threat actor finds them — this is why we need vulnerability disclosure programs.”