Vulnerability reporting to the CCB
Every computer system or network may contain vulnerabilities. These vulnerabilities can be detected by both well-intentioned people and by people with bad intentions. Apart from the existence of a coordinated vulnerability disclosure policy (CVDP) or bug bounty, the fear of being sued often prevents well-intentioned people from looking for and reporting these vulnerabilities.
As part of the implementation of the national cybersecurity strategy, a new legal framework has been adopted in Belgium to address this situation.
This new framework allows any natural or legal person, acting without fraudulent or malicious intent, to investigate and report existing vulnerabilities in networks and information systems located in Belgium, provided that certain conditions are strictly respected (see detailed explanations).
One of these conditions is to report the discovered vulnerabilities to the Center for Cybersecurity Belgium (CCB) as soon as possible and according to the procedure provided for this purpose.
The Center for Cybersecurity Belgium (hereinafter, the "CCB"), in its capacity as a national CSIRT, may receive reports of potential vulnerabilities from natural or legal persons (see articles 62/1 and 62/2 of the Law of 7 April 2019 establishing a framework for the security of networks and information systems of general interest for public security).
A vulnerability is defined as "a weakness, susceptibility or loophole in a network and information system that can be exploited by a cyber threat".
In the event that an organization responsible for a network, or information system (hereafter, responsible organization) has a coordinated vulnerability disclosure policy (hereafter, CVDP), individuals who discover a vulnerability within the scope of that CVDP should contact directly and only the responsible organization. If difficulties arise or if the responsible organization fails to respond within a reasonable time frame, then participants in a CVDP may contact the CCB (default coordinator role). If the vulnerability also affects other organizations that do not have a CVDP, the vulnerability can still be reported to the CCB.
The procedure for reporting an IT vulnerability described below is quite distinct from the legal rules applicable to persons reporting violations of EU or national law based on information obtained in a professional context. Thus, the reporting of a violation of the legal rules for the protection of privacy and personal data or the security of networks and information systems must comply with the legal rules provided for this purpose (see in particular the law of November 28, 2022 on the protection of persons who report law within a legal entity of the private sector and the law of December 8, 2022 on reporting channels and the protection of whistleblowers in the federal public sector and in the integrated police), possibly combined with the rules of this procedure.
B. What are your obligations in the context of the search for and reporting of a vulnerability?
1° You must limit yourself strictly to the facts necessary to report a vulnerability. Thus, you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability (see below point C "proportionality and necessity of actions").
2° You must act without fraudulent intent or design to harm.
You may not use your research for fraudulent purposes or with malicious intent. For example, you may not attempt to monetize the information discovered to the responsible organization or to third parties (unless, of course, a reward or remuneration has been explicitly and previously agreed upon in the context of a pentest, bug bounty, agreement, etc).
When possible and to demonstrate your good intentions, make yourself known to the responsible organization beforehand, during your research, for example by using a header or another identifiable parameter.
3° as soon as possible after the discovery of the potential vulnerability (and at the latest at the time of reporting to the national CSIRT), you must inform the organization responsible for the system, process or control of the vulnerability.
When more than one person was involved in the research, the report may be made on behalf of several individuals who then assume collective responsibility. For convenience, multiple vulnerabilities involving the same responsible organization can also be reported in a single report. However, it is necessary to make a separate report for each organization concerned.
In order to establish the timeliness of your report, it is recommended that you keep evidence of the actions taken (logging) with respect to the network and information system concerned and communicate this information to the CCB at the time of the report.
4° you must as soon as possible report the discovered vulnerability to the CCB (in the absence of a CVDP), in writing and according to the procedures described below (point D).
In order to establish the rapidity of your report, it is recommended that you keep evidence of the actions taken (logging) with regard to the system, process or control concerned and that you communicate this information to the CCB at the time of the report. It is also recommended to do the report prior to any active resistance by the responsible organization (e.g., shutting down the ports) and/or any criminal investigation, to emphasize the timeliness of the report.
5° you must not publicly disclose information about the discovered vulnerability without the agreement of the national CSIRT (CCB).
C. Proportionality and necessity of actions
Your actions must be strictly limited to the facts that are necessary to allow the research and the reporting of a vulnerability of a network and information system.
The following may be considered as such facts:
- unauthorized access or attempted access to a computer system (art. 550 bis § 1 and 4 of the Criminal Code) ;
- exceeding or attempting to exceed an authorization to access a computer system (550 bis § 2 and 4 of the Criminal Code);
- taking over or copying computer data (Art. 550 bis, § 3 of the Criminal Code);
- the development or possession of hacking tools (Art. 550 bis, § 5 of the Criminal Code)
- possession, disclosure, use or disclosure of information obtained through unauthorized access - for example, information available on the Internet (Art. 550 bis § 7 of the Criminal Code);
- introduction or modification of data in a computer system (550 ter of the Criminal Code);
- interception or attempted interception of communications (Article 314 bis of the of the Criminal Code and/or Article 145 of the Electronic Communications Act of 13 June 2005);
- the violation of an obligation of professional secrecy or a contractual obligation of confidentiality;
Your actions and research methods must remain necessary and proportionate with regard to the objective of verifying the existence of a vulnerability in order to improve the security of the system, process or control concerned. The techniques used must therefore be strictly necessary and proportionate to the demonstration of a security flaw.
If the demonstration is possible on a small scale, you cannot extend your research further. The goal is not to use the vulnerability to examine how far one can penetrate a system, process or control. Similarly, there is no justification for disrupting the availability of services provided by the affected equipment.
If not strictly necessary to demonstrate the existence of a vulnerability, the use and retention of data from the system, process or control may not be performed. Similarly, all data collected should be deleted within a reasonable time after the report. If it is necessary to keep this data for a longer period of time or if legal proceedings are in progress, you must ensure that this data is kept secure during this period.
The following may be considered as disproportionate and/or unnecessary actions :
- the installation of malicious software (malware): viruses, worms, Trojan horses, or other ;
- Distributed Denial Of Service (DDOS) attacks;
- Social engineering attacks;
- Phishing attacks;
- Spamming attacks;
- Password theft or brute force attacks;
- deletion of data from the computer system;
- the realization of a foreseeable damage to the visited system or its data;
- all other offences than those mentioned under C (e.g. burglary, theft, assault, etc.).
Finally, you should also take into account that if your vulnerability research is carried out on networks or information systems located in whole or in part outside the Belgian territory, the present reporting procedure will only protect you in Belgium and not in the other countries concerned.
D. How to report a security vulnerability to the National CSIRT (CCB)?
You must send the discovered information exclusively to the following e-mail address: vulnerabilityreport[at]cert.be, and/or by filling in the following form:
The completed form must be sent to us in Word or PDF format, protected with a password or zip (to avoid possible blocking by our anti-virus filters).
The file must be a maximum of 7 MB.
Whenever possible, we encourage you to use the following secure means of communication:
PGP Key ID: 0x28CFD3D6
Type: RSA-4096 Key
Fingerprint: 0C4B 3994 17CB DF05 A988 20F3 EBD4 C7C3 28CF D3D6
Protect the form with a password which can be communicated to us by e-mail.
Provide enough information to allow us to understand the vulnerability and resolve it as quickly as possible.
E. Consequences of the report
Provided that you strictly comply with all the conditions set out in point B, a cause of justification can be accepted in a limited way for the offences 314 bis, 550 bis, 550 ter of the Criminal Code and article 145 of the law of 13 June 2005 on electronic communications.
When you report information on a potential vulnerability that you have become aware of in your professional context, you are not considered to have breached your obligation of professional secrecy and do not incur any liability whatsoever regarding the transmission of information necessary to report a potential vulnerability to the CCB.
Any other possible responsibility of the authors of the report arising from acts or omissions that are not necessary for the completion of the report procedure and do not comply with all the conditions listed in point B continues to be punishable under criminal and civil law.
It is important to bear in mind that this legal protection is limited to the application of Belgian law and does not protect you against possible offences committed under the law of other countries.
Finally, if you request it and if the conditions in point B are met, the CCB undertakes to respect the confidentiality of your identity.
Upon receipt of a report, the CCB will acknowledge receipt of the report to the reporter.
If an acknowledgement is not received within a reasonable period of time, or if the person has specific questions, he or she may, if necessary, contact vulnerabilitydisclosure[at]ccb.belgium.be.
The person reporting the vulnerability and the CCB undertake to make every effort to ensure continuous and effective communication in order to identify and address the vulnerability.
The CCB, in collaboration with the competent services of the Public Prosecutor's Office, will examine compliance with the conditions set out in points B and C.
G. Personal Data
In the course of your research and reporting of a vulnerability, you may come into contact with personal data.
The processing of personal data is broad in scope and includes the storage, modification, retrieval, consultation, use or disclosure of any information that may relate to an identified or identifiable natural person. The "identifiable" character of the person does not depend on the simple will of the data processor to identify the person but on the possibility to identify, directly or indirectly, the person with the help of these data (for example: an email address, identification number, online identifier, IP address or location data).
In this case, make sure that you comply with your obligations regarding the protection of personal data (GDPR) as a data controller.
Respecting the principles of necessity and proportionality, you must limit to the strict minimum the possible processing of such data and exclude their use for other purposes than demonstrating the existence of a vulnerability, demonstrating the reality of your actions and communicating this information to the responsible organization, as well as to the CCB. Where the demonstration of a vulnerability is possible with some personal data, not all accessible data need be processed or retained.
In particular, you must ensure that the data you may have to process is kept with a level of security appropriate to the risks involved (preferably encrypted and anonymized) and that this data is deleted immediately after the end of the processing (until the end of the reporting procedure or, in the event of a challenge or legal proceedings, until the end of the proceedings).
You must also inform the responsible organization and the Data Protection Authority (DPA), as soon as possible and no later than 72 hours after becoming aware of it, of the possible loss of this data which could create a risk for the rights and freedoms of the physical persons of the data subjects (see explanations and the required procedure on the DPA website.