Il Belgio definisce le condizioni secondo le quali un cittadino può
compiere attività mirate alla rilevazione non concordata di
vulnerabilità senza dover temere conseguenze legali.
<https://ccb.belgium.be/en/vulnerability-reporting-ccb>
Vulnerability reporting to the CCB
Every computer system or network may contain vulnerabilities. These
vulnerabilities can be detected by both well-intentioned people and by
people with bad intentions. Apart from the existence of a coordinated
vulnerability disclosure policy (CVDP) or bug bounty, the fear of being
sued often prevents well-intentioned people from looking for and
reporting these vulnerabilities.
As part of the implementation of the national cybersecurity strategy, a
new legal framework has been adopted in Belgium to address this situation.
This new framework allows any natural or legal person, acting without
fraudulent or malicious intent, to investigate and report existing
vulnerabilities in networks and information systems located in Belgium,
provided that certain conditions are strictly respected (see detailed
explanations).
One of these conditions is to report the discovered vulnerabilities to
the Center for Cybersecurity Belgium (CCB) as soon as possible and
according to the procedure provided for this purpose.
[...]
B. What are your obligations in the context of the search for and
reporting of a vulnerability?
1° You must limit yourself strictly to the facts necessary to report a
vulnerability. Thus, you must not act beyond what is necessary and
proportionate to verify the existence of a vulnerability (see below
point C "proportionality and necessity of actions").
2° You must act without fraudulent intent or design to harm.
You may not use your research for fraudulent purposes or with malicious
intent. For example, you may not attempt to monetize the information
discovered to the responsible organization or to third parties (unless,
of course, a reward or remuneration has been explicitly and previously
agreed upon in the context of a pentest, bug bounty, agreement, etc).
When possible and to demonstrate your good intentions, make yourself
known to the responsible organization beforehand, during your research,
for example by using a header or another identifiable parameter.
3° as soon as possible after the discovery of the potential
vulnerability (and at the latest at the time of reporting to the
national CSIRT), you must inform the organization responsible for the
system, process or control of the vulnerability.
When more than one person was involved in the research, the report may
be made on behalf of several individuals who then assume collective
responsibility. For convenience, multiple vulnerabilities involving the
same responsible organization can also be reported in a single report.
However, it is necessary to make a separate report for each organization
concerned.
In order to establish the timeliness of your report, it is recommended
that you keep evidence of the actions taken (logging) with respect to
the network and information system concerned and communicate this
information to the CCB at the time of the report.
4° you must as soon as possible report the discovered vulnerability to
the CCB (in the absence of a CVDP), in writing and according to the
procedures described below (point D).
In order to establish the rapidity of your report, it is recommended
that you keep evidence of the actions taken (logging) with regard to the
system, process or control concerned and that you communicate this
information to the CCB at the time of the report. It is also recommended
to do the report prior to any active resistance by the responsible
organization (e.g., shutting down the ports) and/or any criminal
investigation, to emphasize the timeliness of the report.
5° you must not publicly disclose information about the discovered
vulnerability without the agreement of the national CSIRT (CCB).
C. Proportionality and necessity of actions
Your actions must be strictly limited to the facts that are necessary to
allow the research and the reporting of a vulnerability of a network and
information system.
The following may be considered as such facts:
unauthorized access or attempted access to a computer system (art.
550 bis § 1 and 4 of the Criminal Code) ;
exceeding or attempting to exceed an authorization to access a
computer system (550 bis § 2 and 4 of the Criminal Code);
taking over or copying computer data (Art. 550 bis, § 3 of the
Criminal Code);
the development or possession of hacking tools (Art. 550 bis, § 5
of the Criminal Code)
possession, disclosure, use or disclosure of information obtained
through unauthorized access - for example, information available on the
Internet (Art. 550 bis § 7 of the Criminal Code);
introduction or modification of data in a computer system (550 ter
of the Criminal Code);
interception or attempted interception of communications (Article
314 bis of the of the Criminal Code and/or Article 145 of the Electronic
Communications Act of 13 June 2005);
the violation of an obligation of professional secrecy or a
contractual obligation of confidentiality;
Your actions and research methods must remain necessary and
proportionate with regard to the objective of verifying the existence of
a vulnerability in order to improve the security of the system, process
or control concerned. The techniques used must therefore be strictly
necessary and proportionate to the demonstration of a security flaw.
If the demonstration is possible on a small scale, you cannot extend
your research further. The goal is not to use the vulnerability to
examine how far one can penetrate a system, process or control.
Similarly, there is no justification for disrupting the availability of
services provided by the affected equipment.
If not strictly necessary to demonstrate the existence of a
vulnerability, the use and retention of data from the system, process or
control may not be performed. Similarly, all data collected should be
deleted within a reasonable time after the report. If it is necessary to
keep this data for a longer period of time or if legal proceedings are
in progress, you must ensure that this data is kept secure during this
period.
The following may be considered as disproportionate and/or unnecessary
actions :
the installation of malicious software (malware): viruses, worms,
Trojan horses, or other ;
Distributed Denial Of Service (DDOS) attacks;
Social engineering attacks;
Phishing attacks;
Spamming attacks;
Password theft or brute force attacks;
deletion of data from the computer system;
the realization of a foreseeable damage to the visited system or
its data;
all other offences than those mentioned under C (e.g. burglary,
theft, assault, etc.).
Finally, you should also take into account that if your vulnerability
research is carried out on networks or information systems located in
whole or in part outside the Belgian territory, the present reporting
procedure will only protect you in Belgium and not in the other
countries concerned.
[...]
_______________________________________________
nexa mailing list
[email protected]
https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
