www.belgium.be Logo of the federal government

CCB COORDINATED VULNERABILITY DISCLOSURE POLICY

THE BELGIAN STATE represented by the Centre for Cyber Security Belgium (CCB), with offices at Rue de la Loi 16, 1000 Brussels.

1. Policy scope

Because of the desire to improve the performance and security of our websites, the Centre for Cyber Security Belgium (CCB) has decided to implement a coordinated vulnerability disclosure policy. This enables outside participants who have good intentions to identify possible vulnerabilities and/or provide the CCB with useful information.

Access to the CCB websites’ IT systems within the framework of this policy is granted only to persons whose intention is to improve their security, to inform us of existing vulnerabilities, and in strict compliance with the other conditions set out in this document.

Participants are also authorised to attempt to enter IT data into the IT system concerned, subject to the purposes and conditions of this policy.

Our policy relates to security vulnerabilities that could be abused by third parties or interfere with the proper functioning of our products, services, network or IT systems.

List of the products, services or websites within the scope of this policy:

Systems dependent on third parties are outside the scope of this policy, unless these third parties explicitly agree in advance to these rules.

If you have any questions about the scope of this policy, please contact the CCB's legal department (vulnerabilitydisclosure[at]ccb.belgium.be).

2. Mutual obligations of the parties

A. Proportionality

Participants undertake to comply strictly with the principle of proportionality in all their activities, i.e. not to disrupt the availability of the services provided by the system and not to exploit vulnerabilities beyond what is strictly necessary to demonstrate the security issue. Their approach must remain proportionate: if the safety problem has been demonstrated on a small scale, no further action should be taken.

B. Actions that are not allowed

Participants are not permitted to take the following actions:

  • copying or altering data from the IT system or deleting data from that system;
  • changing the IT system parameters;
  • installing malware: viruses, worms, Trojan horses, etc.;
  • Distributed Denial of Service (DDOS) attacks;
  • social engineering attacks;
  • phishing attacks;
  • spamming;
  • stealing passwords or brute force attacks;
  • installing a device to intercept, store or learn of (electronic) communications that are not accessible to the public;
  • the intentional interception, storage or receipt of communications not accessible to the public or of electronic communications;
  • the deliberate use, maintenance, communication or distribution of the content of non-public communications or of data from an IT system where the participant should reasonably have known it had been obtained unlawfully.

C. Confidentiality

Under no circumstances may participants share any information collected under this policy without our prior and express consent with third parties or disseminate this information to third parties.

Nor is it permitted to communicate IT data, communication data or personal data to third parties or to distribute this data to third parties.

Our policy is not intended to allow the deliberate disclosure of the content of IT data, communication data or personal data, and such disclosure may only occur by accident in the context of the detection of vulnerabilities.

If participants enlist assistance from a third party to perform their test, they shall ensure that the third party is aware of this policy in advance and agrees to comply with the terms of the policy, including confidentiality, when providing assistance.

D. Bona fide execution

The CCB undertakes to implement this policy in good faith and not to bring civil or criminal proceedings against any participant who strictly complies with its terms and conditions and who has not intentionally caused harm to the IT systems concerned.

There can be no fraudulent intent, intent to harm, or desire to use or cause harm to the visited system or its data on the part of the participant.

In case participants are in doubt about certain conditions of our policy, they must consult our point of contact in advance and must act in accordance with the written answer they receive.

E. Processing of personal data

A coordinated disclosure policy is not intended to primarily and intentionally process personal data. Unless it is necessary to prove the existence of a vulnerability, participants are not allowed to consult, retrieve or store personal data.

However, participants may, even by accident, get access to personal data that is stored, processed or transmitted in the IT system concerned. It may also be necessary for the participant to temporarily consult, retrieve or use personal data in the context of vulnerability detection. In this case, participants must notify the CCB's Data Protection Officer: privacy[at]ccb.belgium.be.

When processing such data, participants undertake to comply with the legal obligations concerning the protection of personal data [1] and to comply with the terms of this policy.

The processing of personal data for purposes other than the detection of vulnerabilities in the CCB's systems, equipment or products is not allowed.

Participants may not store any personal data processed for longer than is necessary. During this period, participants must ensure that this information is stored with a level of protection that is proportionate to the risks (preferably encrypted). After being used for the purpose of the policy, this data must be deleted immediately.

Finally, participants must inform us of any loss of personal data as soon as possible after becoming aware of it.

[1] Regulation No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

3. How to report security vulnerabilities

A. Point of contact

You must send the information discovered only to the following e-mail address: vulnerabilityreport[at]cert.be

and/or fill in the following form:

The completed form must be sent in Word or PDF format (no scans) and protected with a password or zip format (to avoid possible blocking by our antivirus filters).

The total size of the file must not exceed 7 MB.

We would ask you (where possible) to use the following secure means of communication:

PGP Key ID: 1668FD92 Key

Type: RSA-4096 Key

Fingerprint: A7B9 E8AA F0AA AF13 C13D 3524 3FBC 9FC1 1668 FD92

Please use a password to secure the form, which may be communicated to us by e-mail or another means of communication (telephone).

 

You can also contact the CCB on the following telephone number:

+32 (0)2 501 05 60 (CCB - CERT.be service)

 

B. Information to be provided

Please send us the related information as soon as possible after your discovery.

Provide us with sufficient information so that we can reproduce the problem and solve it as quickly as possible.

Please provide us this information in Dutch, French, German or English.

4. Procedure

A. Notification

Participants undertake to notify the contact point or the coordinator referred to in point 3A of this policy as soon as possible about information on any vulnerabilities.  Participants must use the secure means of communication mentioned.

After receiving a notification, the CCB undertakes to send the participant a confirmation of receipt, within a reasonable period of time, containing its internal reference number, a reminder of the obligation of confidentiality and the next steps in the procedure.

If participants do not receive a confirmation of receipt within a reasonable period of time, they may contact the CCB's legal representative (vulnerabilitydisclosure[at]ccb.belgium.be) so this representative can contact the CCB's technical team.

B. Communication

The parties undertake to do their utmost to ensure permanent and effective communication. After all, the information provided by participants may be very useful in identifying a vulnerability and resolving it.

C. Analysis

During the analysis phase, the CCB will reproduce the environment and the vulnerability identified, to check the information provided.

The CCB undertakes to keep participants regularly informed of the results of its analysis and of the action taken based on their notification.

In the course of this program, parties are required to link to similar or related notifications, assess the risk and severity of the vulnerability and to identify any other affected products or systems.

D. Developing a solution

The goal of the disclosure policy is to enable the development of a solution to eliminate the vulnerability from the IT system before harm is done.

Where possible and taking into account costs and existing knowledge, the CCB will try to develop a solution with its subcontractors as soon as possible, depending on the severity of the risks for the users of the systems concerned.

At this stage, the CCB and its subcontractors undertake to carry out, on the one hand, positive tests to check that the solution is working properly and, on the other hand, negative tests to ensure that the solution does not interfere with the proper functioning of the other existing features.

E. Possible publication

The CCB will decide, in consultation with the participant, how the existence of the vulnerability may be published. At the same time as this disclosure, a security notice will be published on the CCB’s website (or via e-mail), in a system update notice for users.

The CCB also undertakes to collect users' comments on the application of the solution and to take the necessary corrective action to resolve any problems caused by the solution, including those relating to compatibility with other products or services.

F. Applicable law

Belgian law shall apply to any disputes relating to the application of this policy.

G. Duration

The rules of the policy apply from 7 November 2019 until such time they are amended or annulled by the CCB. Any such amendments or annulments will be published on the CCB website and will automatically enter into force 30 days after their publication.