FAQ on Coordinated Vulnerability Disclosure Policy (CVDP) and bug bounty programmes.
This FAQ provides an overview of the concepts, objectives, legal issues and good practices surrounding the implementation of a Coordinated Vulnerability Disclosure Policy (CVDP) in the current state of Belgian law - see the guides on the CCC website.
We would point out that the documents drawn up by the CCC in no way modify the existing legal rules. Unauthorised intrusion into the IT system of a third party, even with good intentions, is a criminal offence.
The participant in a CVDP must scrupulously comply with all the conditions of the policy and be aware that he cannot invoke a general exclusion of liability when participating in this policy.
1. What is a coordinated vulnerability disclosure policy (CVDP)?
This is a set of rules defined in advance by an organisation responsible for information systems to allow participants (or "ethical hackers"), with good intentions, to identify possible vulnerabilities in its systems, or to provide it with all relevant information about them. These rules, usually made public on a website, make it possible to establish a legal framework for cooperation between the responsible organisation and the policy participants. These rules must guarantee, among other things, the confidentiality of the information exchanged and provide a responsible and coordinated framework for any disclosure of discovered vulnerabilities.
The concept of disclosure does not necessarily mean that the vulnerability is made public, but rather that the participant communicates it to the responsible organisation. The participant is obliged to communicate the vulnerability to the responsible organisation, but its public disclosure (by the participant or the organisation concerned) is optional within the framework of a CVDP.
A vulnerability is a flaw or weakness, a design or implementation error, a lack of updates in the light of existing technical knowledge, which can compromise the security of information technologies. A vulnerability may lead to an unexpected or unwanted event and can be exploited by malicious third parties to violate the integrity, authenticity, confidentiality or availability of a system or to cause damage to a system.
2. What is a vulnerability detection reward scheme (or "bug bounty" in English)?
A vulnerability detection reward scheme is a set of rules defined by an organisation to provide rewards to participants who identify vulnerabilities in its technologies. This reward can be a sum of money, but also a gift or a simple public recognition (ranking among the best participants, publication, conference, etc.).
This is a policy for coordinated disclosure of vulnerabilities that provides for the awarding of a reward to the participant depending on the amount, importance or quality of the information transmitted.
This policy is more attractive to potential participants and often leads to better results for the organisation. In particular, the organisation can rely on a bug bounty platform that provides technical and administrative assistance to manage its vulnerability detection reward programme (role of coordinator).
For example: www.intigriti.com (Belgium); www.yeswehack.com or www.yogosha.com (France); www.hackerone.com, www.bugcrowd.com (US).
3. What is a coordinator?
A coordinator is a natural or legal person who acts as an intermediary between the participant and the organisation responsible for an information system by providing logistical, technical and legal support or by fulfilling another function in order to facilitate cooperation.
If no coordinator has been appointed within the framework of the policy, the Centre for Cybersecurity Belgium (CCB - firstname.lastname@example.org) can fulfil this role.
4. What is a CVDP participant or "ethical hacker"?
This is a person with good intentions who, with the consent of the responsible organisation, wishes to contribute to a better security of the information systems. He can, for example, carry out pen tests or use other methods to check the security of information systems.
He is in direct opposition to the hacker who uses his skills to gain unauthorised access to a system with bad intentions. The participant should inform the person in charge of the information system or a coordinator of any vulnerabilities discovered, so that they can be eliminated.
5. Is it legal to participate in a CVDP or a vulnerability assessment reward scheme in Belgium?
A CVDP or vulnerability detection reward scheme is a form of entry agreement in which the main contractual terms are set by the organisation responsible for an information system and then accepted by the participant when they freely decide to participate in the elaborated scheme.
The introduction of such a policy clarifies the legal situation of the participants. After all, they will be able to demonstrate that they have prior access authorisation to the information systems concerned and will thus be able to prevent any unauthorised intrusion into those systems, provided that the conditions set out in the policy are met (see Guide on the policy for coordinated disclosure of vulnerabilities. Part II: Legal aspects).
On the other hand, it is not legal in Belgium, even with good intentions, to conduct information security testing on systems of an organisation that does not have a CVDP in advance or does not participate in a vulnerability detection reward programme. In this case, it is an unauthorised intrusion into a computer system or an attempt to do so, which may be punishable by criminal law.
It is also not legal to keep (share or sell) information about computer vulnerabilities or exploits obtained as a result of an unauthorised intrusion into a computer system, even if the person involved is not responsible for the unauthorised intrusion.
6. What are the benefits of a CVDP or a vulnerability detection reward programme?
A CVDP can fairly and legitimately provide the responsible organisation with information about vulnerabilities in its systems and enable it to take appropriate and timely action. In this way, potential risks and damage that these vulnerabilities may cause can be prevented or mitigated as effectively as possible.
Among other technical and organisational measures, the implementation of a CVDP is an appropriate technical and organisational measure to prevent incidents that would compromise the security of its network and information systems (and of its personal data). A CVDP offers the distinct advantage that vulnerabilities are identified and remedied before a security incident occurs. Obviously, the policy is more attractive and more effective if the responsible organisation decides to provide rewards to participants depending on the importance and quality of the information provided (as part of a vulnerability detection reward programme or bug bounty programme).
Even if the organisation grants rewards and uses an external coordinator (ethical hacking platform), the introduction of a policy for coordinated disclosure of vulnerabilities is usually more budget-friendly than having external firms conduct audits. After all, the awarding of a reward in the context of a vulnerability detection programme results from an obligation of result on the part of the participant, whereas an external auditor is usually only bound by an obligation of means. The latter must therefore be remunerated for all his services, even if he has found no vulnerabilities or only minor ones at the end of his investigation.
The international technical standards on the security of information technologies also explicitly recommend the implementation of a CVDP (see, for example, the international standards ISO/IEC 29147 and 30111). The introduction of a CVDP also promotes knowledge and research in the area of cyber security.
This approach implies that the organisation concerned commits to process the information provided by the participants and to try to remedy the identified vulnerabilities, or at least to make the users aware of the risks. This commitment may also be a marketing argument. The organisation may point this out in its communications. Trust in information systems is certainly an important element for users or consumers.
A CVDP makes it possible to establish a legal framework between ethical hackers and the organisation, which promotes the confidentiality of the information, regulates any public disclosure as well as possible and prevents any reputational damage to the organisation.
Finally, by implementing a coordinated disclosure policy, the organisation can demonstrate its efforts to comply with its legal obligations for the security of its network and information systems: General Data Protection Regulation EU No. 2016/679 ("AVG"), Law of 7 April 2019 establishing a framework for the security of network and information systems of public interest for public security ("NIS Law"), Civil Liability Regulations, Economic Code, etc. (see Guide on Policy for Coordinated Disclosure of Vulnerabilities. Part I: Good Practices).
7. What if a participant does not respect the terms of the CVDP?
The participant of a CVDP has to adhere closely to the conditions of the CVDP and the applicable legal provisions.
Otherwise the participant will no longer enjoy the protection of the CVDP and may be considered a criminal, regardless of his good intentions.
8. How to become an ethical hacker?
Access to the profession of CVDP participant or "ethical hacker" is not regulated. Therefore, anyone can call himself an 'ethical hacker'.
Nevertheless, an ethical hacker can prove his skills through diplomas, training courses or professional experience, or even by passing tests with the responsible organisation (or with a coordinator who, for example, manages a bug bounty platform).
There are also recognised training courses in this area (see in particular the "Certified Ethical Hacker - (CEH)" certification, organised by the International Council of Electronic Commerce Consultants (EC-Council) and recognised by the American National Standards Institute (ANSI)).
9. Who should I contact if the organisation responsible for the information system does not have a CVDP?
If there is no CVDP or vulnerability detection reward programme (private or public), the ethical hacker is not authorised to test the security of the information system of the responsible organisation.
The ethical hacker should try to contact a professional first-line support: external coordinators under a CVDP or managers of vulnerability detection reward programmes (bug bounty programmes). He should inform them of the situation and seek their advice.
If no help is forthcoming from a third-party "coordinator", the Centre for Cybersecurity Belgium can offer the ethical hacker second-line support (email@example.com).
10. What if personal data are processed in the framework of a CVDP?
The aim of a CVDP is not to intentionally process personal data. However, it is possible that the participant, even by accident, needs to process personal data as part of his/her research into vulnerabilities.
Processing personal data has a broad meaning and includes in particular the storage, modification, retrieval, consultation, use or disclosure of any data concerning an identified or identifiable natural person. The "identifiable" character of the person does not depend on the mere will to identify on the part of the data processor, but on the possibility of identifying the person directly or indirectly by means of these data (for example: an e-mail address, identification number, online identifier, IP address or still, location data).
The controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing.
As the CVDP is a form of accession agreement binding the ethical hacker to the responsible organisation, it should set out the obligations of the parties in relation to the processing of personal data, in particular the purpose and essential means of any processing under this policy (see Guide - Part I Good Practice and Part II Legal Aspects).