Coordinated Vulnerability Disclosure (CVD)

A CVD policy or a reward program/bug bounty for the discovery of vulnerabilities is a form of contract in which the main contractual provisions are laid down by the responsible organisation for a specific information system, and then accepted by the participant when the latter freely decides to take part in the program set up. The adoption of such a policy clarifies the legal situation of participants by enabling them to prove, subject to compliance with the conditions set out in the policy, the existence of prior authorisation for access to the IT systems concerned and therefore the absence of an illegal intrusion (see Guide to coordinated vulnerability disclosure policies. Part II: Legal aspects).

Since the adoption of the legal reporting procedure in 2023, the CCB can also receive reports of potential vulnerabilities about ICT products or ICT services subject to Belgian law (even when the organisation does not have a CVD policy or bug bounty program). This legal procedure can also be applied in the context of an existing CVD policy or a reward program. However, if the researcher wants to benefit from legal protection, he must respect certain conditions, including strict limitation to necessary and proportionate actions, absence of fraudulent intent or malice, as well as notification and reporting to the responsible organisation and to the CCB. For more information, see our page Vulnerability reporting to the CCB.

Outside of the above procedure, it is not legal to hold (share or sell) information about computer vulnerabilities or "exploits" (computer programs that use the vulnerability) obtained as a result of an unauthorised intrusion into a computer system, even if the person in question is not responsible for the unauthorised intrusion in question.

The use of the legal vulnerability reporting procedure is not mandatory, but its use is strongly encouraged, as it allows the researcher to benefit from legal protection (under criminal and civil law), where applicable. If the researcher does not respect either the conditions of the legal vulnerability reporting procedure or those of the applicable CVD policy/bug bounty, he or she may potentially be held accountable when searching and reporting a vulnerability.

It should be noted that researchers who do not commit any criminal actions during their research activities (such as those mentioned in point C. on our vulnerability reporting page), do not necessarily need the protection offered by the legal framework, as they incur no criminal liability.

A CVD policy is a set of rules determined in advance by an organisation responsible for information systems, authorising participants (or "ethical hackers") with good intentions to search for potential vulnerabilities in its systems, or to pass on any relevant information on this subject. These rules, which are generally published on a website, establish a legal framework for collaboration between the organisation responsible and the participants in the policy. In particular, they must ensure the confidentiality of the information exchanged and provide a responsible and coordinated framework for any disclosure of discovered vulnerabilities. Thus, the notion of "disclosure" should not be understood as necessarily implying in all the cases a public disclosure of the vulnerability, but rather at least the disclosure from the participant to the responsible organisation.

While disclosure of the vulnerability by the participant to the responsible organisation is mandatory, public disclosure of the vulnerability (by the participant or the organisation concerned) is, on the other hand, optional in the context of a CVD policy. This is because a vulnerability could potentially lead to an unexpected or undesirable event and can be exploited by malicious third parties with a view to violating the integrity, authenticity, confidentiality or availability of a system or causing damage.

In Belgium, it is also allowed to search and report potential vulnerabilities affecting an ICT product (an item or group of items belonging to a network or information system) or an ICT service (a service consisting wholly or mainly of transmitting, storing, retrieving or processing information using networks and information systems) subject to Belgian law (products, systems or networks located in Belgium), when a organisation does not have a CVD policy. In this context, it is possible for the researcher to request the public disclosure of its findings to the CCB. More information about this can be found on our page Vulnerability Reporting to the CCB.

A bug bounty program is a set of rules defined by an organisation to award rewards to participants who identify vulnerabilities in the technologies it uses. This reward can take the form of a sum of money, gifts, or public recognition (ranking among the best participants, publication, conference, etc). It is a form of coordinated vulnerability disclosure policy, in which the participant is rewarded according to the number, importance or quality of the information provided. This form of policy is more attractive to potential participants and often offers better results for organisations. An organisation may also call on a bug bounty platform to provide technical and administrative assistance for the management of its vulnerability discovery reward program (coordinator role).

To reward the participants which use the legal vulnerability reporting procedure, the CCB has put in place a Wall of Fame on its website.

A coordinator is a natural or legal person who acts as an intermediary between the participant and the organisation responsible for an information system, by providing logistical, technical, and legal assistance, or other functions, in order to facilitate their collaboration.

In its role as CVD coordinator in Belgium (even outside the legal vulnerability reporting procedure), the Centre for Cybersecurity Belgium (CCB) acts as a trusted intermediary by facilitating, where necessary, interactions between the natural or legal person reporting a potential vulnerability and the manufacturer or supplier of the potentially vulnerable ICT products or ICT services, at the request of either party. Researchers may reach out to the CCB via the email address indicated on the page Vulnerability Reporting to the CCB.

A CVD participant, researcher or “ethical hacker” is a well-intentioned person who wishes to contribute, with the authorisation of the responsible organisation, to improving the security of information systems. They may, for example, carry out penetration tests or use other methods to verify the security of information systems. They are the opposite of cybercriminals, who use their skills to attempt to gain unauthorised access to a system with malicious intent. The participant, for his part, intends to warn the person in charge of the information system, or a coordinator, of any vulnerabilities discovered in order to eliminate them.

A CVD policy can provide the responsible organisation with information about vulnerabilities in its systems in a fair and lawful manner, enabling it to take appropriate and timely action. This enables it to effectively prevent or limit, as far as possible, the risks and potential damage that these vulnerabilities could cause. In addition to other technical and organisational measures, the implementation of a CVD policy is an appropriate technical and organisational measure to prevent incidents that could compromise the security of its networks and information systems (and its personal data). It has the undeniable advantage of identifying vulnerabilities and remedying them before a security incident occurs.

Of course, the attractiveness and effectiveness of the policy are increased when the responsible organisation decides to reward participants according to the importance and quality of the information provided as part of a bug bounty program. Even when the organisation grants rewards and uses an external coordinator (ethical hacking platform), the costs associated with implementing a CVD policy are generally better controlled (and lower) than those usually associated with having audits carried out by external companies. Indeed, the granting of a reward in the context of a bug bounty program results from an obligation of result on the part of the participant, whereas the external auditor is generally only bound by an obligation of means. The latter should therefore be remunerated for all their services, even if they find no vulnerabilities or only minor ones as a result of their research. International technical standards in the field of IT security explicitly recommend the implementation of a CVD policy (see, for example, international standards ISO/IEC 29147 and 30111).

Adopting a CVD policy also encourages knowledge and research in the field of cybersecurity. This approach implies a commitment by the concerned organisation to process the information provided by participants and to try to remedy the vulnerabilities identified, or at the very least to inform users of the risks involved. This commitment can also constitute a marketing argument and be highlighted in the organisation's communications. Confidence in information systems is undoubtedly an important factor for users and consumers. A CVD policy makes it possible to establish a legal framework between ethical hackers and the organisation, which reinforces the confidentiality of information, provides the best possible framework for any public disclosure, and avoids any possible damage to the organisation's reputation.

Finally, the implementation of a CVD policy makes it possible to prove the organisation's efforts to comply with its legal obligations to secure its networks and information systems, notably under the EU General Data Protection Regulation ("GDPR"), the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (here after "NIS2 Law"), rules of civil liability, the Code of Economic Law, etc. (see Guide to coordinated vulnerability disclosure policies. Part I: Good practices).

Essential and important entities under the NIS2 Law are even required to adopt their own CVD policy which covers their networks and information systems (art. 30, § 3, 11°).

With the legal vulnerability reporting procedure, the organisation and the ethical hacker do not rely solely on a CVD policy or bug bounty program for vulnerability researching. Ethical hackers can use the legal procedure on the website of the CCB, provided that they respect the enumerated conditions.

Having a CVD policy allows an organisation to be better prepared to handle vulnerability reports and have its own dedicated process, without necessarily involving the CCB. That being said, even in the presence of a CVD policy, a participant may still make use of the legal vulnerability reporting procedure to ensure that he is adequately protected.

In addition, having a CVD policy also allows to attract more participants by proposingrewards or bug bounties, something that is not provided for under the legal reporting procedure.

A participant in a CVD policy (or bug bounty program) should comply with the scope and conditions of the policy of the organisation responsible for the concerned ICT products or services.

Alternatively, or combined with the CVD policy, a researcher can always make use of the legal vulnerability reporting procedure. In this situation, the participant should then respect all the conditions described on the page Vulnerability reporting to the CCB.

Outside of these situations, a researcher does not benefit from legal protection and could potentially be held accountable for his or her vulnerability research activities.

Access to the profession of CVD participant or "ethical hacker" is not regulated. Anyone can therefore declare themselves as "ethical hacker". However, ethical hackers can demonstrate their skills through diplomas, training, professional experience or by passing tests with the responsible organisation (or a coordinator managing a bug bounty platform, for example). There are also recognised training courses in this area (see in particular the "Certified Ethical Hacker - (CEH)" certification organised by the International Council of Electronic Commerce Consultants (EC-Council) and recognised by the American National Standards Institute (ANSI)).

The best ethical hackers that interact with the CCB are put forward on our Wall of Fame.

When there is no CVD policy or bug bounty/reward program for the discovery of vulnerabilities, the ethical hacker can use the legal vulnerability reporting procedure, which is described on our website Vulnerability reporting to the CCB.

The purpose of participating in a CVD policy is not to intentionally process personal data, but it is possible that the participant may come into contact with personal data, even incidentally, as part of its vulnerability research. The processing of personal data is broad in scope and includes in particular the storage, modification, retrieval, consultation, use or disclosure of any information that could relate to an identified or identifiable natural person.

Whether a person is "identifiable" does not depend on whether the data controller simply wishes to identify the person, but on whether it is possible to identify the person, directly or indirectly, using the data (for example: an e-mail address, identification number, online identifier, IP address or location data).

The controller is the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of the processing.

Since the CVD policy constitutes a form of contract binding the ethical hacker to the responsible organisation, it is useful to specify the obligations of the parties with regard to the processing of personal data, in particular the purposes and essential means of any processing carried out under this policy (see our Guide - Part I: Good practice, and Part II: Legal aspects).

In the context of the legal procedure, the Website of the CCB describes what needs to be known about the processing of personal data.

According to art. 22 and 23 of the NIS2 Law, any individual or legal entity may report, even anonymously, the existence of a potential vulnerability affecting an ICT product (an item or group of items belonging to a network or information system) or an ICT service (a service consisting wholly or mainly of transmitting, storing, retrieving or processing information using networks and information systems) subject to Belgian law (products, systems or networks located in Belgium).

A vulnerability is defined as "a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat" (art. 8, 15° NIS2 Law).

This procedure is without prejudice to the application of other legal procedures (related to whistleblowers, GDPR, CRA, etc). If the vulnerability research is carried out on networks or information systems located in whole or in part outside the Belgian territory, the present legal framework will only protect the researcher in Belgium and not in other countries.

To benefit from the legal protection when searching and reporting a vulnerability, the following conditions should be respected (art. 23 NIS2 Law):

• act without fraudulent intent or intent to harm;
• within 24h of the discovery of a potential vulnerability, send a simplified notification (that includes the identification of the system concerned and a simple description of the potential vulnerability) to the organisation responsible for the system and to the CCB;

This deadline starts from the moment when the person should reasonably have known or discovered a potential vulnerability (see definition), i.e. after a reasonable period of investigation and validation to establish a potential vulnerability.

• within 72h of the discovery of a potential vulnerability, send a full notificationto the organisation responsible for the system (in accordance with their reporting procedures, if they have one), and to the CCB, in accordance with the procedure described on its website;
• do not go beyond what was necessary and proportionate to verify the existence of a vulnerability and to report it;

All the actions of the researcher must be strictly limited to what is necessary and proportionate to allow the discovery and the reporting of a vulnerability in a network or information system. If the demonstration is possible on a small scale, he shall not extend his research further. Similarly, there is no justification for disrupting the availability of services provided by the affected equipment. On its website, the CCB mentions some actions (non-exhaustive list) that may be considered as disproportionate and/or unnecessary.

• do not publicly disclose information relating to the vulnerability and to vulnerable systems, without the agreement of the CCB;

An additional condition (6°) is required for the information systems (as well as the information processed by or on behalf) of certain organisations (SGRS/ADIV, VSSE, OCAM/OCAD, Ministry of Defence, police services, Belgian diplomatic and consular missions outside the EU, judicial bodies, Class I nuclear establishments, NCCN and CCB) : in this case, the researcher needs to obtain the written prior agreement to search for potential vulnerabilities (such agreement may, for example, take the form of a CVD policy).

More information about these conditions can be found on the page Vulnerability reporting to the CCB.

In order to profit from the civil and criminal protection offered by the legal framework, the reporter indeed has to respect all different conditions (including deadlines), otherwise he or she could be facing legal (criminal or civil) consequences (if criminal or civil offences have been committed). However, the use of the legal vulnerability reporting procedure remains voluntary (the researcher could use an applicable CVD or bug bounty procedure instead).

Provided that the conditions are met, a cause of justification may be granted for a limited list of criminal offences under articles 314bis, 550bis, and 550ter of the Criminal Code (new art. 342, 343, 352, 524 to 533), as well as in Article 145 of the law of 13 June 2005 on electronic communications.

The sharing of information about a discovered potential vulnerability in a professional context would also not violate any obligation of confidentiality or professional secrecy.

Any other liability of the reporter, arising from acts or omissions that are not necessary for the completion of the reporting procedure and that do not comply with all legal requirements, remains untouched. Such acts or omissions may continue to be punishable under criminal and civil law.

It is important to note that this legal protection is limited to the application of Belgian law and does not protect against possible offences committed under the law of other countries.

If the legal conditions are met and the researcher so requests, the CCB undertakes to respect the confidentiality of his or her identity.

To notify a vulnerability to the CCB, an ethical hacker has to follow the procedure described on the page Vulnerability reporting to the CCB.

This entails that he completes, first, a simplified notification form within 24h of the discovery of a potential vulnerability with some preliminary information about the vulnerability, and then afterwards a full notification form within 72h of the discovery of a potential vulnerability, which provides more details about the findings. These forms are, if possible, encrypted, and then sent to the CCB via the email address specified on the website linked above.

One legal condition is that the researcher can’t publicly disclose information relating to the vulnerability and to vulnerable systems, without the agreement of the CCB. The researcher must therefore formally ask the CCB for an authorisation to publicly disclosure his findings. He may send his request to the email address mentioned in the vulnerability reporting procedure.

As soon as the request is made to the CCB, a deadline of 90 days starts. If, at the end of this deadline of 90 days, the researcher has not been notified of a refusal, he may consider the disclosure authorised.

A decision to authorise publication does not imply that the vulnerability has been validated by the CCB, but only that the CCB has insufficient information to oppose disclosure on the grounds that it poses a risk to public security (for the information systems of the organisation concerned or other organisations).

The CCB may notably take into account the following elements when considering whether or not to allow the public disclosure of a vulnerability (non-exhaustive list):

• the severity of the vulnerability and the extent to which it can be exploited;
• the criticality of the organisations affected by the vulnerability (e.g. essential or important entities in the context of NIS2);
• the extent to which the vulnerability can be detected and the likelihood of it being exploited by others;
• the implementation of a solution on the affected information systems;
• whether or not the vulnerability can be validated.

If an organisation is informed of a vulnerability by the CCB, it must assess whether said vulnerability may not be considered as a personal data breach which must be reported to the competent data protection authority under the GDPR.

In the event of a potential personal data breach that could pose a risk to the rights and freedoms of the individual persons, the CCB would like to remind all concerned organisations that it is the responsibility of the data controller to inform the Data Protection Authority (APD) as soon as possible and no later than 72 hours after becoming aware of it (see the explanations and the procedure required on the DPA website).