Belgium is the pioneer in Europe to establish a national safe harbor guideline for ethical hackers, as per its cybersecurity authority. The Centre for Cyber Security Belgium (CCB) has unveiled a mechanism which shields individuals or entities from legal action when they disclose security flaws in systems, networks, or applications within Belgium, provided certain stringent conditions are fulfilled. This provision is applicable irrespective of the ownership of the vulnerable technologies by private or public bodies.
The national policy outlined by the CCB now allows for the reporting of IT vulnerabilities with legal safeguard if certain stipulations are adhered to: timely notification to the technology owner and the CCB, submission of a detailed vulnerability report to the CCB, absence of malicious intent, necessary and proportionate actions to showcase the vulnerability, and withholding public disclosure without CCB’s approval. Although CCB encourages Belgian organizations to formulate their own vulnerability disclosure policy (VDP), hackers are not obliged to inform the CCB if an entity already possesses a VDP, but may do so under certain circumstances.
Unlike most VDPs and bug bounty initiatives, certain aggressive methods like phishing and brute force attacks are viewed as excessive. In the broader EU context, a 2022 report by the EU Agency for Cybersecurity highlighted that France, Lithuania, and the Netherlands too are advancing in the domain of coordinated vulnerability disclosure (CVD) policies, yet Belgium’s approach is deemed the most thorough according to a legal officer at the CCB. This policy extends protection to vulnerability reporters irrespective of their affiliation with the affected organization.
The uptake of VDPs among Belgian firms and global blue-chip companies is relatively low, but there’s hope that such legislative steps might usher in a ‘GDPR’-like effect compelling companies to adopt VDPs. In regions with akin legislation, ethical hackers have been instrumental in identifying and reporting security loopholes, paving the way for enhanced cybersecurity measures.