New legal protections for security researchers could be the strongest of any EU country

Belgium launches nationwide safe harbor for ethical hackers

UPDATED Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, according to the country’s cybersecurity agency.

The Centre for Cyber Security Belgium (CCB) has announced a mechanism that protects individuals or organizations from prosecution – contingent on certain “strict” conditions being met – when they report security vulnerabilities affecting any systems, networks, or applications located in Belgium.

The framework applies regardless of whether vulnerable technologies are owned by private or public sector organizations.

Terms and conditions

According to the procedure set out in a national coordinated vulnerability disclosure policy (CVDP) on its website, the CCB – Belgium’s computer emergency response team (CSIRT) – can now receive reports on IT vulnerabilities that give security researchers legal protection providing the following conditions are met:

  • Notify the owner of the vulnerable technology as soon as possible and at least at the same time as the CCB
  • Submit a written vulnerability report to the CCB as soon as possible in the prescribed format
  • Act without fraudulent intent or intention to harm
  • Act strictly in a necessary and proportionate manner to demonstrate the existence of a vulnerability
  • Do not publicly disclose information about the vulnerability and vulnerable systems without the CCB’s consent

CCB also has guidelines, adopted in 2020, that encourage organizations in Belgium to adopt their own CVDP or bug bounty program.

RELATED HackerOne encourages customers to adopt standard policy to protect hackers from legal problems

Hackers need not notify the CCB where an organization already has a VDP, but may choose to do so if the vulnerability affects other organizations without VDPs, or “if difficulties arise” with disclosure and remediation.

In common with most VDPs and bug bounty programs, offensive techniques such as phishing, social engineering, and brute force attacks “may be considered as disproportionate and/or unnecessary actions”.

Elsewhere in the EU

A 2022 EU Agency for Cybersecurity (ENISA) report on national coordinated vulnerability disclosure (CVD) policies within the bloc revealed that France, Lithuania, and the Netherlands were also “undertaking CVD policy work and have implemented policy requirements”.

However, according to Valéry Vander Geeten, legal officer at the CCB, Belgium’s policy is the most comprehensive yet.

He told The Daily Swig that the Netherlands indicates “that the Public prosecutor Office will not prosecute ethical hackers”, France and Slovakia fall short of “full legal protection”, and that Lithuania’s legal safe harbor is “limited to critical infrastructure”.

He also emphasized that it protects vulnerability reporters regardless of whether they work for the organization whose technology is affected.

Numerous other EU member states are developing, or planning to develop, similar nationwide protections for hackers.

Far from the norm

While Telenet, Brussels Airlines, and Port of Antwerp are among Belgian companies with VDPs, it is far from the norm to have one. Even among the Fortune 500, less than 20% of blue chips apparently had VDPs as of 2021 (albeit this had risen from 9% in 2019).

“I do hope that legislation like this will have the ‘GDPR’-effect that will effectively force companies to adopt this,” Inti De Ceukelaire, head of hackers at Belgium-based bug bounty platform Intigriti, told The Daily Swig.

“Paradoxically, most security researchers are now delivering value and improvements to companies that want to listen and are already on board with the latest security trends, such as a VDP.

“Applying that to companies that are completely new to this will have interesting results, I believe. In the Netherlands, where they have similar legislation, a hacker that goes by the name Victor Gevers (0xDUDE) on Twitter has already reported 5,000 vulnerabilities under this.”

This article was updated on February 16 to clarify certain terms and terminology of the CVDP

DON’T MISS IoT vendors faulted for slow progress in setting up vulnerability disclosure programs