FAQ on Coordinated Vulnerability Disclosure Policy (CVDP) and bug bounty programmes.
The purpose of these FAQs is to set out the concepts, objectives, main legal issues and good practices relating to the adoption of Coordinated Vulnerability Disclosure Policies (CVDP) and the vulnerability reporting procedure (see the dedicated page: Vulnerabilities Reporting to the CCB) in the current state of legislation in Belgium. In Belgium, any natural or legal person, acting without fraudulent intent or malice, may, even in the absence of a VPS, search for and report potential vulnerabilities in networks and information systems, provided that certain conditions are strictly met (see below). Nevertheless, the author of a vulnerability report must be aware that he or she does not benefit from a general exclusion of liability when searching for or reporting vulnerabilities (within or outside the scope of a CVDP): he or she must remain proportionate in his or her actions, act with caution and scrupulously comply with all the conditions required.
1. What is a coordinated vulnerability disclosure policy (CVDP)?
It is a set of rules determined in advance by an organisation responsible for information systems, authorising participants (or "ethical hackers") to search for potential vulnerabilities in its systems with good intentions, or to pass on any relevant information on this subject. These rules, which are generally published on a website, establish a legal framework for collaboration between the organisation responsible and the participants in the policy. In particular, they must ensure the confidentiality of the information exchanged and provide a responsible and coordinated framework for any disclosure of discovered vulnerabilities. Thus, the notion of "disclosure" should not be understood as necessarily implying public communication of the vulnerability, but rather communication from the participant to the responsible organisation.
While disclosure of the vulnerability by the participant to the responsible organisation is mandatory, public disclosure of the vulnerability (by the participant or the organisation concerned) is, on the other hand, optional in the context of a CVDP. A vulnerability is a weakness, susceptibility or flaw in a network or information system that can be exploited by a cyber threat. A vulnerability can potentially lead to an unexpected or undesirable event, and can be exploited by malicious third parties with a view to violating the integrity, authenticity, confidentiality or availability of a system or causing damage.
2. What is a bug bounty programme?
A bug bounty programme is a set of rules defined by an organisation to award rewards to participants who identify vulnerabilities in the technologies it uses. This reward can take the form of a sum of money, gifts or public recognition (ranking among the best participants, publication, conference, etc). This is a form of coordinated vulnerability disclosure policy, in which the participant is rewarded according to the number, importance or quality of the information provided. This form of policy is more attractive to potential participants and often offers better results for organisations. In particular, the organisation can call on a bug bounty platform to provide technical and administrative assistance for the management of its vulnerability discovery reward programme (coordinator role).
3. What is a coordinator?
A coordinator is a natural or legal person who acts as an intermediary between the participant and the organisation responsible for an information system by providing logistical, technical and legal assistance, or other functions, in order to facilitate their collaboration. In the absence of a coordinator designated in the policy, this role is played by the Centre for Cybersecurity Belgium (CCB - vulnerabilityreport@cert.be).
4. What is a CVDP participant or "ethical hacker"?
This is a well-intentioned person who wishes to contribute, with the authorisation of the organisation responsible, to improving the security of information systems. They may, for example, carry out penetration tests or use other methods to verify the security of information systems. They are the opposite of hackers, who use their skills to attempt to gain unauthorised access to a system with malicious intent. The participant, for his part, intends to warn the person in charge of the information system, or a coordinator, of any vulnerabilities discovered in order to eliminate them.
5. Is it legal to search for and report vulnerabilities in Belgium (as part of a CVDP, a reward programme or even outside such policies)?
A CVDP or a reward programme for the discovery of vulnerabilities is a form of membership contract in which the main contractual provisions are laid down by the organisation responsible for an information system and then accepted by the participant when the latter freely decides to take part in the programme set up. The adoption of such a policy clarifies the legal situation of participants by enabling them to prove, subject to compliance with the conditions set out in the policy, the existence of prior authorisation for access to the IT systems concerned and therefore the absence of an illicit intrusion (see Guide to coordinated vulnerability disclosure policies. Part II: Legal aspects).
Since the adoption of new legal provisions in 2023, the CCB can also receive reports of potential vulnerabilities from natural or legal persons. This legal regime can also be applied when difficulties arise in the context of a CVDP or a reward programme. It is, however, subject to conditions, including strict limitation to necessary and proportionate actions, absence of fraudulent intent or malice, and notification and reporting, as soon as possible, to the organisation responsible for the system and to the CCB respectively. For more information, see our page Vulnerability reporting to the CCB.
Outside of the above frameworks, it is not legal to hold (share or sell) information about computer vulnerabilities or "exploits" (computer programs that use the vulnerability) obtained as a result of an unauthorised intrusion into a computer system, even if the person in question is not responsible for the unauthorised intrusion in question.
6. What are the benefits of a CVDP or a reward programme for the discovery of vulnerabilities?
A CVDP can provide the responsible organisation with information about vulnerabilities in its systems in a fair and lawful manner, enabling it to take appropriate and timely action. This enables it to effectively prevent or limit, as far as possible, the risks and potential damage that these vulnerabilities could cause. In addition to other technical and organisational measures, the implementation of a GDPR is an appropriate technical and organisational measure to prevent incidents that could compromise the security of its networks and information systems (and its personal data). It has the undeniable advantage of identifying vulnerabilities and remedying them before a security incident occurs.
Of course, the attractiveness and effectiveness of the policy are increased when the organisation responsible decides to reward participants according to the importance and quality of the information provided (as part of a bug bounty programme). Even when the organisation grants rewards and uses an external coordinator (ethical hacking platform), the costs associated with implementing a policy of coordinated disclosure of vulnerabilities are generally better controlled than those associated with having audits carried out by external companies. Indeed, the granting of a reward in the context of a vulnerability discovery reward programme results from an obligation of result on the part of the participant, whereas the external auditor is generally only bound by an obligation of means. The latter should therefore be remunerated for all their services, even if they find no vulnerabilities or only minor ones as a result of their research. International technical standards in the field of IT security explicitly recommend the implementation of a CVDP (see, for example, international standards ISO/IEC 29147 and 30111).
Adopting a CVDP also encourages knowledge and research in the field of cybersecurity. This approach implies a commitment by the organisation concerned to process the information provided by participants and to try to remedy the vulnerabilities identified, or at the very least to inform users of the risks involved. This commitment can also constitute a marketing argument and be highlighted in the organisation's communications. Confidence in information systems is undoubtedly an important factor for users and consumers. A VPS makes it possible to establish a legal framework between ethical hackers and the organisation, which reinforces the confidentiality of information, provides the best possible framework for any public disclosure, and avoids any possible damage to the organisation's reputation. Finally, the implementation of a coordinated disclosure policy makes it possible to prove the organisation's efforts to comply with its legal obligations to secure its networks and information systems: General Data Protection Regulation EU no. 2016/679 ("GDPR"), Law of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security ("NIS Law"), rules of civil liability, Code of Economic Law, etc. (see Guide to coordinated vulnerability disclosure policies. Part I: Good practices).
7. What happens if a participant does not comply with the terms of the CVDP?
A participant in a CVDP must, in principle, comply strictly with the conditions of the policy of the organisation responsible for the IT system. Alternatively, and if all the legal conditions have been met (including reporting to the CCB), the participant may also apply the procedure for reporting vulnerabilities as described in question 5. Apart from these situations, the participant does not benefit from legal protection and could be prosecuted for his or her vulnerability research activities.
8. How does one become an ethical hacker?
Access to the profession of CVDP participant or "ethical hacker" is not regulated. Anyone can therefore declare themselves to be an "ethical hacker". However, ethical hackers can demonstrate their skills through diplomas, training, professional experience or by passing tests with the organisation responsible (or a coordinator managing a bug bounty platform, for example). There are also recognised training courses in this area (see in particular the "Certified Ethical Hacker - (CEH)" certification organised by the International Council of Electronic Commerce Consultants (EC-Council) and recognised by the American National Standards Institute (ANSI)).
9. Who should I contact if the organisation responsible for the information system does not have a CVDP?
When there is no CVDP or reward programme for the discovery of vulnerabilities (private or public), the ethical hacker will have to comply with the legal conditions of the vulnerability reporting procedure in order to be authorised, under Belgian law, to test the security of the information system of the organisation responsible.
10. What happens if personal data is processed as part of a CVDP?
The purpose of a CVDP is not to intentionally process personal data, but it is possible that the participant may have to process personal data, even incidentally, as part of its vulnerability research. The processing of personal data is broad in scope and includes in particular the storage, modification, retrieval, consultation, use or disclosure of any information that could relate to an identified or identifiable natural person. Whether a person is "identifiable" does not depend on whether the data controller simply wishes to identify the person, but on whether it is possible to identify the person, directly or indirectly, using the data (for example: an e-mail address, identification number, online identifier, IP address or location data). The controller is the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of the processing.
Since the CVDP constitutes a form of membership contract binding the ethical hacker to the organisation responsible, it is useful to specify the obligations of the parties with regard to the processing of personal data, in particular the purposes and essential means of any processing carried out under this policy (see Guide - part I Good practice and part II Legal aspects).