Vulnerability reporting to the CCB

The Centre for Cybersecurity Belgium (hereinafter, the "CCB"), in its capacity as a national CSIRT, can receive reports of potential vulnerabilities from natural or legal persons (see articles 22 and 23 of the Law of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security - hereafter the “NIS2 law”).

Outside of the legal reporting procedure, the CCB also plays a supplementary role as coordinator (by default) in the implementation in Belgium of coordinated vulnerability disclosure policies or bug bounty programs (assistance, coordination, information sharing, etc.).

General characteristics of the legal vulnerability reporting procedure

1° you do not act beyond what is necessary and proportionate to verify the existence of a vulnerability and to report it (see point C "proportionality and necessity of actions" below).

2° you must act without fraudulent intent or intent to harm.

You may not use your research for fraudulent purposes or with malicious intent. For example, you may not attempt to monetise the information discovered to the responsible organisation or to third parties (unless, of course, a reward or remuneration has been explicitly and previously agreed upon in the context of a pentest, bug bounty, agreement, etc.). Similarly, and without the contractual agreement of the responsible organisation, you may not use the discovered vulnerability for personal or third-party benefit.

When possible and to demonstrate your good intentions, make yourself known to the responsible organisation beforehand, during your research, for example by using a header or another identifiable parameter.

3° without undue delay and at the latest within 24 hours after the discovery of a potential vulnerability, you must address a simplified notification of the vulnerability to the organisation responsible and to the CCB, according to the procedure described in point D.

The notification of a vulnerability takes place in two stages: first a simplified notification within 24h, then a complete notification within 72h at the latest. The aim of the first notification is to inform the concerned organisation and the CCB that a potential vulnerability has been found. It contains an identification of the concerned systems and a simplified description of the potential vulnerability.

The deadline starts from the moment when the person should reasonably have known about the discovery of a potential vulnerability (see definition), i.e. after a reasonable period of investigation and validation to establish a possible vulnerability.

You will not be eligible for legal protection if you do not notify the organisation concerned and the CCB within the required deadlines.

4° without undue delay and at the latest within 72 hours after the discovery of a potential vulnerability, you must address a full notification of the vulnerability to the organisation responsible and to the CCB, according to the procedure described in point D.

The full notification contains a detailed description of the vulnerability, including precise steps to reproduce it, as well as other technical information such as configuration details, operating system, tools used, etc.

When more than one person was involved in the research, then both the simplified as well as the complete notification may be made on behalf of several individuals who then assume collective responsibility. For convenience, multiple vulnerabilities involving the same responsible organisation can also be reported in a single simplified or complete notification. However, it is necessary to make separate notifications for each organisation concerned.

In order to establish the timeliness of your reports, it is recommended that you keep evidence of the actions taken (logging) with regard to the system, process or control concerned and that you communicate this information to the CCB at the time of the reports. Within the two deadlines, it is also recommended to do the reports prior to any active resistance by the responsible organisation (e.g., shutting down the ports) and/or any criminal investigation, to emphasize the timeliness of the reports.

5° you must not publicly disclose information about the discovered vulnerability without the agreement of the CCB.

You must not make publicly available (or share with third parties not involved in the research) without the prior consent of the CCB any information provided in the report that would enable the identification of the organisation concerned, the vulnerable systems, the specific vulnerability and how it can be exploited.

You must report the vulnerability to the organisation concerned and to the CCB, but its subsequent public disclosure remains optional and must, in all cases, be carried out in a coordinated manner (taking into account the interests of the parties concerned and the existing risks, in particular the public interest in disclosure) – see point F. Procedure below.

If several organisations are affected by the same vulnerability, you may submit multiple reports for each organisation concerned.

This does not prevent the researcher from speaking in general terms about certain types of vulnerabilities (without mentioning the specific vulnerability reported, the organisation concerned or the method used).

6° concerning the networks and information systems of some organisations, you must, before starting your research, conclude a written vulnerability research agreement with the concerned service.

This additional condition applies only to the information systems of the following organisations (and to information processed by or for them): SGRS/ADIV, VSSE, OCAM/OCAD, Ministry of Defence, police services, Belgian diplomatic and consular missions outside the EU, Class I nuclear establishments, NCCN, CCB, and judicial authorities. Such an agreement may, for example, take the form of a CVD policy adopted by the organisation.

Your actions must be limited to what is necessary and proportionate to allow the discovery and the reporting of a vulnerability in a network or information system.

Depending on the context, the following actions may in particular be considered proportionate (non-exhaustive list)::

• unauthorised access or attempted access to a computer system (art. 550bis 1 and 4 of the Criminal Code; art. 524 and 527 of the new Criminal Code);
• exceeding or attempting to exceed an authorization to access a computer system (art. 550bis 2 and 4 of the Criminal Code; art. 525 and 527 of the new Criminal Code);
• taking over or copying computer data (art. 550bis, § 3 of the Criminal Code; art. 526 of the new Criminal Code);
• the development or possession of hacking tools (art. 550bis, § 5 of the Criminal Code; art. 528 of the new Criminal Code)
• possession, disclosure, use or disclosure of information obtained through unauthorised access, for example, information available on the Internet (art. 550bis 7 of the Criminal Code; art. 530 of the new Criminal Code);
• introduction or modification of data in a computer system (art. 550ter of the Criminal Code; art. 531-533 of the new Criminal Code);
• interception or attempted interception of communications (art. 314bis of the of the Criminal Code; art. 342-346 of the new Criminal Code; and/or art. 145 of the law of 13 June 2005 of electronic communications);
• the violation of an obligation of professional secrecy or a contractual obligation of confidentiality (art. 458 of the Criminal Code; art. 352 of the new Criminal Code).

Your actions and research methods must remain necessary and proportionate regarding the objective of verifying the existence of a vulnerability in order to improve the security of the system, process or control concerned. The techniques used must therefore be necessary and proportionate to the demonstration of a security flaw.

If the demonstration is possible on a small scale, you shall not extend your research further. The goal is not to use the vulnerability to examine how far one can penetrate a system, process, or control. Similarly, there is no justification for disrupting the availability of services provided by the affected equipment.

If not necessary to demonstrate the existence of a vulnerability, the use and retention of data from the system, process, or control may not be performed. Similarly, all data collected should be deleted within a reasonable timeframe after the report. If it is necessary to keep this data for a longer period of time or if legal proceedings are in progress, you must ensure that this data is kept secure during this period.

Depending on the context, the following actions may be in particular considered disproportionate and/or unnecessary (non-exhaustive list):

• the installation of malicious software (malware): viruses, worms, trojan horses, or other;
• Distributed Denial Of Service (DDOS) attacks;
• Social engineering attacks;
• Phishing attacks;
• Spamming attacks;
• Password theft or brute force attacks;
• deletion of data from the computer system;
• the realization of a reasonably foreseeable damage to the visited system or its data;
• other offences from the Criminal Code not mentioned in the list above (e.g. burglary, theft, assault, etc.).

Finally, you should also take into account that if your vulnerability research is carried out on networks or information systems located in whole or in part outside the Belgian territory, the present reporting procedure will only protect you in Belgium and not in the other countries concerned.

You must send the discovered information exclusively to the following e-mail address: vulnerabilityreport[at]ccb.belgium.be, with the following forms:

The completed forms must be sent to us in Word or PDF format, protected with a password or zip (to avoid possible blocking by our anti-virus filters)

The file must be a maximum of 7 MB.

Check point B, 3° and 4° to know which form to send when

Whenever possible, we encourage you to use
the following secure means of communication use the PGP Key corresponding to "Vulnerability Report"

Protect the form with a password which can be communicated to us by e-mail.

Provide enough information to allow us to understand the vulnerability and resolve it as quickly as possible.

Provided that you comply with all the conditions set out in point B and C, a cause of justification can be accepted in a limited way for the offences from articles 314bis, 458, 550bis, and 550ter of the Criminal Code (see references to the corresponding articles in the new Criminal Code - articles 342, 343, 352, 524 to 533), as well as article 145 of the law of 13 June 2005 on electronic communications.

When you report information on a potential vulnerability that you have become aware of in your professional context, you are not considered to have breached your obligation of professional secrecy and do not incur any liability whatsoever regarding the transmission of information necessary to report a potential vulnerability to the CCB.

Any other possible responsibility of the authors of the report arising from acts or omissions that are not necessary for the completion of the report procedure and that do not comply with all the conditions listed in point B, remains intact. These acts or omissions continue to be punishable under criminal and civil law.

It is important to bear in mind that this legal protection is limited to the application of Belgian law and does not protect you against possible offences committed under the laws of other countries.

Finally, if you so request and if the conditions in point B are met, the CCB undertakes to respect the confidentiality of your identity.

Upon receipt of a vulnerability report, the CCB will acknowledge receipt of the report to the reporter.

If an acknowledgement is not received within a reasonable period of time, or if the person has specific questions, he or she may, if necessary, contact vulnerabilitydisclosure[at]ccb.belgium.be.

When submitting the report or during the proceedings, the person making the report may request anonymity (and be granted it if the conditions of the legal proceedings are met).

The person reporting the vulnerability and the CCB undertake to make every effort to ensure continuous and effective communication in order to identify and address the vulnerability.

Based on the information at its disposal, the CCB will conduct a reasonable review of compliance with the conditions of the legal reporting procedure (deadlines, conduct/actions of the researcher, absence of public disclosure without prior agreement, possible prior written agreement for certain organisations), see points B and C, where applicable, in collaboration with the relevant departments of the Public Prosecutor's Office. However, the CCB is not empowered to make a final decision on whether or not these conditions have been met, as this is the sole responsibility of the judicial authorities.

The CCB may observe, study or test the security of a network and information system in order to determine the existence of a potential vulnerability or to verify the methods used by the author of a report. However, it is not obliged to formally validate or test each ‘potential vulnerability’ reported to it.

If the researcher wishes the vulnerability to be made public, he must submit a formal request to the CCB, who will contact him and the organisation concerned by the vulnerability to examine the possibility of disclosure and negotiate the deadline.

The decision to authorise any public disclosure rests with the CCB Management on the basis of the information provided by the various parties concerned.

The CCB will make its decision taking into account in particular the following factors (non-exhaustive list):

1. the severity of the vulnerability and the extent to which it can be exploited;
2. the criticality of the organisations affected by the vulnerability (e.g. essential and important entities in the context of NIS2);
3. the extent to which the vulnerability can be detected and the likelihood of it being exploited by others;
4. the implementation of a solution on the information systems concerned;
5. whether or not it is possible to validate the vulnerability.

A decision to authorise publication does not imply that the vulnerability has been validated by the CCB, but only that the CCB has insufficient information to oppose disclosure on the grounds that it poses a risk to public security (for the information systems of the organisation concerned or other organisations).

If no decision is made within a reasonable deadline from the formal request for public disclosure (expiry of a 90-day deadline), the researcher may consider that the CCB has no objection or grounds to oppose public disclosure of the vulnerability.

Processing of personal data by the researcher

In the course of your research and reporting of a vulnerability, you may come into contact with personal data.

The processing of personal data is broad in scope and includes the storage, modification, retrieval, consultation, use or disclosure of any information that may relate to an identified or identifiable natural person. The "identifiable" character of the person does not depend on the simple will of the data processor to identify the person but on the possibility to identify, directly or indirectly, the person with the help of these data (for example: an email address, identification number, online identifier, IP address or location data).

In this case, the reporter must make sure that he complies with his obligations regarding the protection of personal data as a data controller under the General Data Protection Regulation (GDPR). 

Respecting the principles of necessity and proportionality, he must limit himself to the strict minimum possible processing of personal data and exclude their use for other purposes than demonstrating the existence of a vulnerability, demonstrating the reality of his actions, and communicating this information to the responsible organisation and to the CCB. Where the demonstration of a vulnerability is possible with a limited amount of personal data, not all accessible data need be processed or retained.

In particular, the reporter must ensure that the data he may have to process is stored with a level of security that is appropriate given the risks involved (preferably encrypted and anonymised) and that this data is deleted immediately after the processing ended (until the end of the reporting procedure or, in the event of a challenge or legal proceedings, until the end of the proceedings).

In case of a possible loss of personal data, which could create a risk for the rights and freedoms of the data subjects, the reporter must also inform the responsible organisation and the Data Protection Authority (DPA), as soon as possible and no later than 72 hours after becoming aware of it (see explanations and the required procedure on the DPA website).

Processing of personal data by the concerned organisation

If an organisation is informed of a vulnerability by the CCB, it must assess whether said vulnerability may not be considered as a personal data breach which must be reported to the competent data protection authority under the GDPR.

In the event of a potential personal data breach that could pose a risk to the rights and freedoms of the individual persons, the CCB would like to remind all concerned organisations that it is the responsibility of the data controller to inform the Data Protection Authority (APD) as soon as possible and no later than 72 hours after becoming aware of it (see the explanations and the procedure required on the DPA website).