www.belgium.be Logo of the federal government

New legal framework for reporting IT vulnerabilities

15 February 2023

Cybercriminals actively seek out vulnerabilities and then use them to penetrate systems or networks.  They may do so to steal data, to sabotage, to launch a ransomware attack or even for espionage purposes.
But there are also people with good intentions who, at the request of an organisation or otherwise, actively seek out vulnerabilities. They provide their findings to the organisation so that it can better secure its systems or networks.  

A new legal framework

To clarify the situation of these people with good intentions, a new legal framework is planned to take effect on 15 February 2023.  This framework describes how a natural or legal person with no fraudulent intent or intention to cause harm can detect and must report existing vulnerabilities in networks and information systems in Belgium.
The basic principles revolve around respecting proportionality and necessity: the researcher may only perform actions that are necessary to demonstrate the existence of the vulnerability. Unless a reward is agreed in advance (as, for example, in a bug bounty programme or an agreed penetration test), the hacker may not demand a reward or payment.
One of the new provisions is that a discovered vulnerability must be reported as soon as possible to the responsible owner of the IT system and reported to the Centre for Cybersecurity Belgium (CCB) according to the procedure provided for that purpose.
Finally, under no circumstances may one disclose the discovered vulnerability without the permission of the CCB.