Dutch government aims to shape ethical hackers' disclosure practices

The guidelines should enable ethical hackers, companies and governments to work together, the government said.

The Dutch government's cyber security center has published guidelines that it hopes will encourage ethical hackers to disclose security vulnerabilities in a responsible way.

"Persons who report an IT vulnerability have an important social responsibility," the Dutch ministry of Security and Justice said on Thursday, announcing guidelines for ethical hacking that were published by the country's National Cyber Security Center (NCSC).

White-hat hackers and security researchers play an important role in securing IT systems by finding vulnerabilities, the NCSC said. However, the center maintained that security researchers are sometimes reluctant to disclose vulnerabilities to companies, instead using media outlets to announce vulnerabilities, which is an undesirable practice because it exposes a hole before it is fixed.

With the guide, the government wants to provide organizations with a framework to create their own policies on responsible disclosure. Ivo Opstelten, Minister of Security and Justice, plans to encourage a wide use of the responsible disclosure guidelines within the government, he said in a letter sent to the parliament.

While the released guidance does not affect the existing legal framework, it encourages parties to work together to make IT systems safer, the NCSC said. Companies and governments could for example offer a standardized online form that can be used by security researchers to notify an organization if they found a vulnerability, it said.

The company and the researcher can also agree to disclose the vulnerability within a certain time frame. An acceptable period for the disclosure of software vulnerabilities is 60 days, while a reasonable period to disclose harder to fix hardware vulnerabilities is 6 months, the NCSC said. When an organization decides to follow these guidelines, it should include in its policy that it will not take legal action against ethical hackers who comply with the rules, it added.

The Dutch Public Prosecution Service however will keep the option to prosecute when it suspects that crimes have been committed, the ministry of Security and Justice said.

The person who discovers the vulnerability should report it directly and as soon as possible to the owner of the system in a confidential manner, so the leak cannot be abused by others. Furthermore, the ethical hacker will not use social engineering techniques, nor install a backdoor or copy, modify or delete data from the system, the NCSC specified. Alternatively a hacker could make a directory listing in the system, the guidelines said.

Hackers should also refrain from altering the system and not repeatedly access the system. Using brute-force techniques to access a system is also discouraged, the NCSC said. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization. The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said.

While the responsible disclosure procedure is in principle a matter for the detector and the organization, the NCSC can act as an intermediary if a vulnerability is reported to it directly.

"I think this is a very good thing, especially when the NCSC acts as an intermediary," said Ronald Prins, CEO of the Dutch security firm Fox-IT. One of the problems ethical hackers face is that they have a hard time being taken seriously if they report a vulnerability to a company, and they have a hard time reaching the right person, he said.

If an organization is contacted about a security vulnerability by an official government organization like the NCSC, it will probably take the warning more seriously, he added. Online forms used to report the vulnerability directly to the right person within an organization could also help this process, he added.

While there is little flexibility given to ethical hackers within the guidelines, Prins said he understood why the government did that. It prevents ethical hackers from crossing the line, he said.

"I see that some people are disappointed" because the Public Prosecution Service is still allowed to prosecute when they deem that necessary, Prins said. But it is impossible not to do this, he added. "I would be very pleased if someone reports a problem that he found," he said. But if that person spends days pounding his systems to get in, Prins would definitely consider filing a legal complaint, he said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentregulationintrusionAccess control and authenticationExploits / vulnerabilitiesFox-IT

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Brand Post

Bitdefender 2019

Taking cybersecurity to the highest level and order now for a special discount on the world’s most awarded and trusted cybersecurity. Be aware without a care!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?