Belgium launches nationwide safe harbor for ethical hackers

New legal protections for security researchers present some of the strongest safeguards in Europe.

Belgium has emerged as the first European nation to establish a national safe harbor framework specifically designed for ethical hackers, as announced by the country’s cybersecurity agency.

The Centre for Cyber Security Belgium (CCB) has introduced a mechanism that shields individuals or organizations from potential legal repercussions—provided they adhere to specific “strict” conditions—when they report security vulnerabilities impacting any systems, networks, or applications within Belgium.

This framework applies universally, irrespective of whether the affected technologies are owned by private institutions or public sector entities.

Terms and Conditions

In alignment with the guidelines outlined in the national coordinated vulnerability disclosure policy (CVDP) on its website, CCB—the computer emergency response team (CSIRT) for Belgium—can now accept reports of IT vulnerabilities that offer legal protection to security researchers, given that the following criteria are satisfied:

• Promptly notify the owner of the vulnerable technology and ensure that CCB is informed simultaneously.
• Submit a detailed written report about the vulnerability to CCB at the earliest convenience in the designated format.
• Conduct actions without malintent or desire to inflict harm.
• Operate in a necessary and proportionate manner to verify the existence of a vulnerability.
• Refrain from publicly revealing information about the vulnerability and its associated systems without prior consent from CCB.

Additionally, CCB provides guidelines established in 2020 that motivate organizations in Belgium to create their own vulnerability disclosure policies (VDPs) or bug bounty initiatives.

RELATED HackerOne calls on customers to adopt a standard policy to shield hackers from legal issues

Researchers are not obligated to inform the CCB if an organization already possesses a VDP, but they may opt to do so if the vulnerability impacts other organizations lacking VDPs or if challenges arise in the process of disclosure and remediation.

Similar to most VDPs and bug bounty initiatives, aggressive methods such as phishing, social engineering, and brute force attacks are deemed “disproportionate and/or unnecessary actions.”

Elsewhere in the EU

A 2022 report from the EU Agency for Cybersecurity (ENISA) highlighted that countries like France, Lithuania, and the Netherlands are actively working on implementing coordinated vulnerability disclosure (CVD) policies.

However, according to Valéry Vander Geeten, legal officer at CCB, Belgium’s approach is the most extensive to date.

He conveyed to The Daily Swig that while the Netherlands has indicated a non-prosecution stance for ethical hackers, France and Slovakia lack “complete legal protection,” and Lithuania’s safe harbor regulations are restricted to critical infrastructure.

Furthermore, he underscored that the protections extend to those reporting vulnerabilities regardless of their affiliation with the impacted organization.

Several other EU member states are in the process of developing or planning to introduce similar national protections for hackers.

Far from the Norm

Although companies like Telenet, Brussels Airlines, and the Port of Antwerp maintain VDPs, such practices remain uncommon. As of 2021, less than 20% of Fortune 500 companies reportedly had VDPs, a slight increase from 9% in 2019.

“I genuinely hope that legislation like this will induce a ‘GDPR’-like effect, prompting companies to implement VDPs,” remarked Inti De Ceukelaire, head of hackers at the Belgium-based bug bounty platform Intigriti.

“Ironically, most security researchers are currently offering value and enhancements to companies that are willing to engage and are already in tune with the latest security practices, including VDPs.

“Applying this to firms that are entirely new to the concept will yield intriguing outcomes, I believe. In the Netherlands, where similar laws exist, an ethical hacker known as Victor Gevers (0xDUDE) has reported 5,000 vulnerabilities to date.”

This article was updated on February 16 to clarify specific terms and terminologies used in the CVDP.

DON’T MISS IoT vendors criticized for delays in establishing vulnerability disclosure programs