Dutch Gov't Offers Guidance For Responsible Disclosure Practices

An anonymous reader sends this quote from an IDG News report: "The Dutch government's cyber security center has published guidelines (in Dutch) that it hopes will encourage ethical hackers to disclose security vulnerabilities in a responsible way. The person who discovers the vulnerability should report it directly and as soon as possible to the owner of the system in a confidential manner, so the leak cannot be abused by others. Furthermore, the ethical hacker will not use social engineering techniques, nor install a backdoor or copy, modify or delete data from the system, the NCSC specified. Alternatively a hacker could make a directory listing in the system, the guidelines said. Hackers should also refrain from altering the system and not repeatedly access the system. Using brute-force techniques to access a system is also discouraged, the NCSC said. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization. The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said."

Been Done

[shawnhcorey]

"Responsible disclosure" means "We don't want to bother fixing it." If the vulnerability is not make public, it is never fixed. This has been done many times before. The only way to get them fixed is to make them public.

Disclosure only with consent?

[the_B0fh]

Seriously? Who's going to consent?

Also, where's the responsibility on the part of the organization to show that they *HAVE* a secure coding practice, they don't simply outsource $2 coders, and they have a program in place to review security issues?