A person or group of persons working together trying to enter your systems: does that sound scary? Not if this is an organised activity and you have been properly informed! In fact, it enables us all to benefit from the skills and knowledge of ‘ethical hackers’, who can tell you if one of your virtual doors isn’t properly locked.

Beyond bug bounties

Coordinated vulnerability disclosure policy (CVDP) or bug bounty programmes, already exist. For these, your organisation sets the rules allowing ethical hackers to hunt for vulnerabilities and provide relevant information.

But what if multiple organisations are involved, your organisation takes time to respond, or you don’t have a CVDP?  Strictly speaking, from a legal perspective, the ethical hacker could not verify their findings. For example, an ethical hacker who explores a vulnerability using unauthorised access and copies your data to prove the vulnerability, is currently committing a criminal offence. And a programmer who reports on a safety issue that the company doesn’t want to solve (for whatever reason) is, for now, held liable.

An added role for the CCB

But not anymore. From 15 February, new rules offer better protection and an additional role for the Center for Cyber Security Belgium (CCB), as the authority to whom the ethical hacker or programmer reports. Through the transposition of the NIS directive, the CCB was already the Belgian  Computer Security Incident Response Team (CSIRT or CERT). The CCB already knows a lot about vulnerabilities, making them ideal for this role.

 To operate under the new rules, the hacker or the programmer must:

1. limit themselves to what is strictly necessary to report the vulnerability. Installing malware, stealing passwords, deleting data or causing damage is off-limits.
2. act without fraudulent intent or design to harm. For example, they may announce they are looking for vulnerabilities, and must not monetise the information (outside of a previously agreement or a bug bounty programme, etc.).
3. inform your organisation at the same time as they inform the CCB
4. report to the CCB (if there is no CVDP available) as soon as possible
5. not publicly disclose the information without the agreement of the CCB

As this is Belgian law, the assets, networks and/or information systems must be fully located on Belgian territory for the ethical hacker to be protected.

Protecting programmers

Under the new rules, when a programmer reports on a potential vulnerability in their professional context, they are not considered to have breached their obligation of professional secrecy and do not incur any liability whatsoever regarding the transmission of information necessary to report a potential vulnerability to the CCB. Again, the law is only in effect when assets, networks or systems are located in Belgium.

Blowing the whistle

If you are planning to come forward to report something wrong in your organisation, be aware that you are now better protected, but that the procedure for reporting an IT vulnerability is quite distinct from the legal rules for whistle-blowers, that is, people that wish to report information obtained in a professional context.

More information on the protection for whistle-blowers under Belgian law can be found on the website of the Belgisch Staatsblad/Moniteur Belge:

• The law of 28 November 2022 on the protection of persons who report violations of EU or national law by a legal entity of the private sector
• The law of 8 December 2022 on reporting channels and the protection of whistleblowers in the federal public sector and in the integrated police