A safe harbor under certain conditions has been created in Belgium for cybersecurity researchers who report vulnerabilities to the Belgian national CSIRT and relevant system owners.
Some positive developments impacting Belgium’s cybersecurity industry will come into effect next month after the country approved legal dispositions protecting ethical hackers and bug bounty hunters.
As part of the Belgian Act on the Protection of Whistleblowers of November 28, 2022, dispositions were adopted to offer a safe harbor for ethical hackers who respect certain strict conditions.
Those dispositions will come into effect on February 15, 2023, establishing a framework for the security of networks and information systems of general interest for public security.
RELATED How lawmakers are expanding the adoption of bug bounty programs
The new legislation permits any individual or company to report a vulnerability defined as “a weakness, susceptibility, or loophole in an asset, or in an information network and system that can be exploited by a cyber threat” affecting an organization in Belgium to the Centre for Cybersecurity Belgium (CCB), the country’s national Computer Security Incident Response Team (CSIRT).
As detailed on the CCB website, the new coordinated vulnerability disclosure policy offers legal protection, under certain conditions, for the actions necessary to investigate and report such vulnerabilities.
Commenting on the announcement, Stijn Jans, CEO and Co-founder of Intigriti, a Belgium-based bug bounty platform and crowdsourced security company, said:
Safe harbor conditions
Within the framework of the law, those who disclose vulnerabilities to the CCB will not be deemed to have committed an offence in connection with their actions necessary to report the vulnerability to the CCB, as long as the following conditions are met:
- The individual or company must prove that he has completed a written vulnerability report to the CCB and the concerned organization (system owner) as soon as possible and according to the procedure detailed on the CCB website. Such reports will not be possible after the start of any criminal proceedings
- The reporter must have acted without fraudulent intent or malice (e.g., abuse of the vulnerability, fraud, extortion, or theft
- The report must not act beyond what is necessary and proportionate to verify the existence of a potential vulnerability. Guidance is provided on the CCB website
- The reporter must not publicly disclose the information relating to the vulnerability without the agreement of the CCB
Importantly, those dispositions will apply to all organizations, even those that do not have adopted their own vulnerability disclosure program.
Marilyn Vandermarliere, General Counsel at Intigriti, said:
28 NOVEMBRE 2022. – Loi sur la protection des personnes qui signalent des violations au droit de l’Union ou au droit national constatées au sein d’une entité juridique du secteur privé. https://www.ejustice.just.fgov.be/eli/loi/2022/11/28/2022042980/justel
28 NOVEMBER 2022. – Wet betreffende de bescherming van melders van inbreuken op het Unie- of nationale recht vastgesteld binnen een juridische entiteit in de private sector. http://www.ejustice.just.fgov.be/eli/wet/2022/11/28/2022042980/justel