Dutch Gov't Offers Guidance For Responsible Disclosure Practices 37
An anonymous reader sends this quote from an IDG News report:
"The Dutch government's cyber security center has published guidelines (in Dutch) that it hopes will encourage ethical hackers to disclose security vulnerabilities in a responsible way. The person who discovers the vulnerability should report it directly and as soon as possible to the owner of the system in a confidential manner, so the leak cannot be abused by others. Furthermore, the ethical hacker will not use social engineering techniques, nor install a backdoor or copy, modify or delete data from the system, the NCSC specified. Alternatively a hacker could make a directory listing in the system, the guidelines said. Hackers should also refrain from altering the system and not repeatedly access the system. Using brute-force techniques to access a system is also discouraged, the NCSC said. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization. The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said."
Re:Been Done (Score:5, Informative)
Being a native dutch speaker, I read the entire guidelines in Dutch, and they include disclosure terms to encourage companies to rapidly fix (60 days) issues, and make agreements with the discloser about the disclosure.
This is common practice and rather well accepted practice already. So, in essence, the document encourages the public disclosure. Any company that wishes to ignore the vulnerability will have their asses handed to them anyway, so this guideline actually helps - security researchers can use it to show to companies that they are acting in good faith as long as companies play by the same rules.
So personally, I highly encourage governments to do something like this.
This Dutch variant is interesting in the sense that it creates a possible middle man that can mediate and monitor the disclosure. This protects disclosers, and puts more pressure on companies to abide by these standards. Not the other way around.
Re:Time limit (Score:4, Informative)
As I posted before, the guidelines mention explicit timelines that should be followed. 60 days for software, 6 months for hardware.
Directive ethical hacking solves nothing (Score:4, Informative)
IT journalist Brenno de Winter calls the guidance useless. "If hackers first have to report the vulnerability, they lose their anonymity without having a guarantee that they will not be prosecuted. And even if a company promises that it will not press charges, the Public Prosecutions Department can start a case." Link here: http://www.trouw.nl/tr/nl/5133/Media-technologie/article/detail/3372108/2013/01/04/Richtlijn-ethisch-hacken-lost-niets-op.dhtml [trouw.nl] (in Dutch).