New Belgian legal framework gives safe harbor to ethical hackers and bug bounty hunters

A safe harbor under certain conditions has been created in Belgium for cybersecurity researchers who report vulnerabilities to the Belgian national CSIRT and relevant system owners.

Some positive developments impacting Belgium’s cybersecurity industry will come into effect next month after the country approved legal dispositions protecting ethical hackers and bug bounty hunters.

As part of the Belgian Act on the Protection of Whistleblowers of November 28, 2022, dispositions were adopted to offer a safe harbor for ethical hackers who respect certain strict conditions.

Those dispositions will come into effect on February 15, 2023, establishing a framework for the security of networks and information systems of general interest for public security.

RELATED How lawmakers are expanding the adoption of bug bounty programs

The new legislation permits any individual or company to report a vulnerability defined as “a weakness, susceptibility, or loophole in an asset, or in an information network and system that can be exploited by a cyber threat” affecting an organization in Belgium to the Centre for Cybersecurity Belgium (CCB), the country’s national Computer Security Incident Response Team (CSIRT).

As detailed on the CCB website, the new coordinated vulnerability disclosure policy offers legal protection, under certain conditions, for the actions necessary to investigate and report such vulnerabilities.

Commenting on the announcement, Stijn Jans, CEO and Co-founder of Intigriti, a Belgium-based bug bounty platform and crowdsourced security company, said:

“This latest announcement is another step in the right direction for Europe’s security vulnerability disclosure laws. Any legislation that helps protect bug bounty hunters, security researchers, and ethical hackers as they go about their vital work can only be seen as a benefit to the cybersecurity of a nation’s assets.”

Safe harbor conditions

Within the framework of the law, those who disclose vulnerabilities to the CCB will not be deemed to have committed an offence in connection with their actions necessary to report the vulnerability to the CCB, as long as the following conditions are met:

• The individual or company must prove that he has completed a written vulnerability report to the CCB and the concerned organization (system owner) as soon as possible and according to the procedure detailed on the CCB website. Such reports will not be possible after the start of any criminal proceedings

• The reporter must have acted without fraudulent intent or malice (e.g., abuse of the vulnerability, fraud, extortion, or theft

• The report must not act beyond what is necessary and proportionate to verify the existence of a potential vulnerability. Guidance is provided on the CCB website

• The reporter must not publicly disclose the information relating to the vulnerability without the agreement of the CCB

Importantly, those dispositions will apply to all organizations, even those that do not have adopted their own vulnerability disclosure program.

Marilyn Vandermarliere, General Counsel at Intigriti, said:

“Up to now, ethical hacking, even if done with the best intentions in mind, was sanctionable under Belgian criminal laws. As a consequence, an ethical hacker who would inform an organization of a security vulnerability in its systems risked criminal prosecution. The new legislation eliminates this risk and will hopefully lead to an increase in the number of vulnerabilities reported to organizations, thereby enabling such organizations to improve the security of their systems.”

Sources:

28 NOVEMBRE 2022. – Loi sur la protection des personnes qui signalent des violations au droit de l’Union ou au droit national constatées au sein d’une entité juridique du secteur privé.  https://www.ejustice.just.fgov.be/eli/loi/2022/11/28/2022042980/justel

28 NOVEMBER 2022. – Wet betreffende de bescherming van melders van inbreuken op het Unie- of nationale recht vastgesteld binnen een juridische entiteit in de private sector. http://www.ejustice.just.fgov.be/eli/wet/2022/11/28/2022042980/justel