Why I’m happy to help the CCB

As you may know, the CCB (Center for Cybersecurity Belgium) is working on a vulnerability disclosure policy. It is meant to be an enabler for ethical hacking in Belgium. Organisations embracing and publishing such a policy can allow (external) ethical hackers to verify and test their security posture and to disclose any issues found, in a coordinated and responsible way.

Note that hacking, hacking tool possession and such are illegal in Belgium. The new rule will be that an allowance can be granted by the company who is the hacking target. This can be based on a contract (for professional companies) or a vulnerability disclosure policy (like the one the CCB will propose).

The CCB wants to make sure that the advice responds to the needs of security researchers and professionals. So they invited a number of people who are involved daily with ethical hacking and who know about responsible disclosure, to participate. Such as yours truly.

It’s too soon to talk about the outcome of the discussions with the CCB, but the policy itself is definitely something we are all looking forward to. We are very hopeful that the inclusion of professionals in the conversation will improve the chances that the policy will add value and clarity to the current murky legal situation of ethical hackers. And that is what everyone active in cybersecurity and ethical hacking has been longing for: clear legal limits within which one can act without risking prosecution.

A disclosure policy would state, among other things, how ethical hackers can disclose vulnerabilities to the company in a correct way, what the do’s and don’ts are for ethical hackers when probing their targets, basically what the acceptable boundaries are for hacking that specific organisation. If the hackers play by those rules, they can’t be prosecuted for their security research at that organisation.

What would you like to add to such a policy? Any advice? Looking forward to reading it in the comments.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *