To clarify the situation of these people with good intentions, a new legal framework is planned to take effect on 15 February 2023.  This framework describes how a natural or legal person with no fraudulent intent or intention to cause harm can detect and must report existing vulnerabilities in networks and information systems in Belgium.

The basic principles revolve around respecting proportionality and necessity: the researcher may only perform actions that are necessary to demonstrate the existence of the vulnerability. Unless a reward is agreed in advance (as, for example, in a bug bounty programme or an agreed penetration test), the hacker may not demand a reward or payment.

 

One of the new provisions is that a discovered vulnerability must be reported as soon as possible to the responsible owner of the IT system and reported to the Centre for Cybersecurity Belgium (CCB) according to the procedure provided for that purpose.

 

Finally, under no circumstances may one disclose the discovered vulnerability without the permission of the CCB.