Skip to content
Beltug
  • About
    • Our members
    • Beltug team
    • Contact
  • Agenda
  • Library
    • Papers
    • Presentations
    • Partner papers
  • Impact
  • News
  • Log in
  • Become a member

More results...

Generic filters
Beltug
  • About
    • Our members
    • Beltug team
    • Contact
  • Agenda
  • Library
    • Papers
    • Presentations
    • Partner papers
  • Impact
  • News
  • Log in
  • Become a member

Better protection for ethical hackers in Belgium

Ethical hackers look for vulnerabilities in your systems, check all your outward facing apps and see if they can get in. However, these ‘crimes’ can get them into hot water if they are not protected. While transposing the EU Whistleblower directive into national law, Belgium took the opportunity to better protect these ‘digital whistleblowers’ – as long as they play by the new rules, which can be found on the CCB website.

22 / 02 / 23

A person or group of persons working together trying to enter your systems: does that sound scary? Not if this is an organised activity and you have been properly informed! In fact, it enables us all to benefit from the skills and knowledge of ‘ethical hackers’, who can tell you if one of your virtual doors isn’t properly locked.

Beyond bug bounties

Coordinated vulnerability disclosure policy (CVDP) or bug bounty programmes, already exist. For these, your organisation sets the rules allowing ethical hackers to hunt for vulnerabilities and provide relevant information.

But what if multiple organisations are involved, your organisation takes time to respond, or you don’t have a CVDP?  Strictly speaking, from a legal perspective, the ethical hacker could not verify their findings. For example, an ethical hacker who explores a vulnerability using unauthorised access and copies your data to prove the vulnerability, is currently committing a criminal offence. And a programmer who reports on a safety issue that the company doesn’t want to solve (for whatever reason) is, for now, held liable.

An added role for the CCB

But not anymore. From 15 February, new rules offer better protection and an additional role for the Center for Cyber Security Belgium (CCB), as the authority to whom the ethical hacker or programmer reports. Through the transposition of the NIS directive, the CCB was already the Belgian  Computer Security Incident Response Team (CSIRT or CERT). The CCB already knows a lot about vulnerabilities, making them ideal for this role.

 To operate under the new rules, the hacker or the programmer must:
  1. limit themselves to what is strictly necessary to report the vulnerability. Installing malware, stealing passwords, deleting data or causing damage is off-limits.
  2. act without fraudulent intent or design to harm. For example, they may announce they are looking for vulnerabilities, and must not monetise the information (outside of a previously agreement or a bug bounty programme, etc.).
  3. inform your organisation at the same time as they inform the CCB
  4. report to the CCB (if there is no CVDP available) as soon as possible
  5. not publicly disclose the information without the agreement of the CCB

As this is Belgian law, the assets, networks and/or information systems must be fully located on Belgian territory for the ethical hacker to be protected.

Protecting programmers

Under the new rules, when a programmer reports on a potential vulnerability in their professional context, they are not considered to have breached their obligation of professional secrecy and do not incur any liability whatsoever regarding the transmission of information necessary to report a potential vulnerability to the CCB. Again, the law is only in effect when assets, networks or systems are located in Belgium.

Blowing the whistle

If you are planning to come forward to report something wrong in your organisation, be aware that you are now better protected, but that the procedure for reporting an IT vulnerability is quite distinct from the legal rules for whistle-blowers, that is, people that wish to report information obtained in a professional context.

More information on the protection for whistle-blowers under Belgian law can be found on the website of the Belgisch Staatsblad/Moniteur Belge:

  • The law of 28 November 2022 on the protection of persons who report violations of EU or national law by a legal entity of the private sector
  • The law of 8 December 2022 on reporting channels and the protection of whistleblowers in the federal public sector and in the integrated police

 

 

  • cyber security
  • Hackers
  • NIS directive
  • security

You may also like:

Coordinated Vulnerability Disclosure Policy: part of your proactive security approach. Takeaways from the Beltug Debate Room: 21 January 2021

Security has never been higher in our members’ priorities. Especially as, with the sudden and massive increase in homeworking, vulnerabilities are piling up and potential incidents are right around the corner. One tool to identify weaknesses...

Return to impact
Beltug logo, white transparent

Belgian association of CIOs and digital technology leaders.

info@beltug.be +32 3 780 17 30 Contact us
  • Beltug team
  • Our members
  • Subscribe to our newsletter
© 2023 - Flux
Privacy Policy | Cookie Policy

Login

X
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking 'Accept', you consent to the use of ALL the cookies. However, you may visit 'Cookie Settings' to provide a controlled consent.

Read MoreCookie Settings Accept
Manage consent

Cookie policy and overview

This website uses cookies to improve your experience while you navigate through the website.

Out of these, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website.
We also use first-party cookies that help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

In our cookie policy you can read more about the most frequently used cookies and their usage.

Beltug is a not-for-profit association for its members and through its members. These analytical cookies related to our website help us to base our initiatives and your experiences on your preferences. So before refusing all cookies, would you consider accepting the analytical cookie category?

Third party cookies are activated with your consent only but are not processed by Beltug. Contents of these cookies is only processed by the third party that activates them.

Modifying cookie preferences

Cookie preferences are set when you visit our website for the first time through this pop-up window that is automatically displayed on your screen.

You can modify your preferences at any time by clicking the ‘Manage consent’ button in the bottom right corner of each page. Any modification has an immediate effect.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
_wordpress_test_cookie, test_cookiesessionWordPress sets this cookie when you navigate to the login page. The cookie is used to check whether your web browser is set to allow, or reject cookies.
CONSENTuntil you remove itThe cookie is set by the GDPR Cookie Consent WordPress plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. When Consent has been given the cookie is used to store the user consent for the cookies in the category 'Analytics'.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category 'Necessary'.
PHPSESSIDsessionThis cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
WordPress_clef_session, _wordpress_cleff_state1 yearThis WordPress cookie is necessary to use the administrator zone (only for administrators).
wp-settings-1, wp-settings-time-11 yearWordPress uses this cookie to customize your view of the admin interface, and possibly also the main site interface.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc and are only activated with your consent.
CookieDurationDescription
_ga2 yearsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report.
_gat_gtag1 minuteSet by Google to distinguish users.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit.
Third Party
Third-party cookies are those created by domains other than the one the user is visiting at the time, and are mainly used for tracking and online-advertising purposes. They also allow website owners to provide certain services, such as live chats and are only activated with your consent.
CookieDurationDescription
IDE1 year 24 daysUsed by Google DoubleClick to register and report the website user’s actions after viewing or clicking one of the advertiser’s ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
VISITOR_INFO1_LIVE5 months 27 daysA cookie that YouTube sets that measures your bandwidth to determine whether you get the new player interface or the old.
YSCto be removed by youRegisters a unique ID to keep statistics of what videos from YouTube the user has seen. This cookie expires when you close your browser.
yt-remote-connected-devicesto be removed by youStores the user’s video player preferences using embedded YouTube video.
yt-remote-device-idto be removed by youStores the user’s video player preferences using embedded YouTube video.
Save & Accept