The Belgian government has recently announced a new Belgian law that will allow ethical hackers to hack any Belgian company without any prior permission. Historically, ethical hacking codes of conduct state that a hacker must have prior permission to hack an organization. Organizations make it easy for hackers to share vulnerabilities they find by implementing Vulnerability Disclosure Policies (VDPs). These days, it’s considered hazardous for an organization to NOT have a VDP, because why would you want to disconnect yourself from a valuable source of information that helps prevent breaches and protect your business?
This decision by the Belgian government appears to be a step in the right direction toward protecting good-faith research since we know the potential for legal liability can have a chilling effect on vulnerability research and disclosure. The 2022 Hacker-Powered Security Report found that 12% of hackers that have not reported a vulnerability to an organization said this was due to threatening legal language on a company’s website.
The new Belgian law is to be celebrated in the sense that it acknowledges good faith security research needs to be protected. But it also has limitations that, if not addressed, could render the law ineffective. Legal safe harbor is conditional on notification to a central government authority under certain circumstances. While there may be some upsides to doing this, there are also many downsides. From a practical point of view, many hackers may find this distasteful. And looking at this sort of structure in the past, sharing to central clearing houses has often ended up being a source of information leaks. Secondly – and more alarmingly – this central government authority must approve all public information disclosures. This won’t do. Across the industry, we are seeing organizations and governments alike profess a commitment to security transparency, but failing to live by those words. The main reason we’ve made security progress over the past couple of decades is thanks to broad information sharing within the security community. We need to stop taking steps backwards here.
The recent changes to the U.S Department of Justice’s policy for charging acts under the Computer Fraud and Abuse Act (CFAA) to increase hacking protections provides a more all-encompassing protection for good faith hackers fearing prosecution. There is no requirement to involve a central government authority, and publishing security information does not retroactively strip the protections. Two thirds of the hackers surveyed in our 2022 Hacker-Powered Security Report believed it would increase their sense of protection.
What neither law accounts for is civil suits brought by companies against hackers. We need to make hackers feel fully confident about reporting vulnerabilities, and companies must be involved. It’s why we introduced the Gold Standard Safe Harbour (GSSH) initiative last year. Adopting the GSSH represents an organization’s endorsement of these latest legal and regulatory developments surrounding security research. HackerOne customers that adopt GSSH also clearly authorize good faith security research. Bringing clarity here is important not just to protect hackers, but also to protect companies. Authorization helps clarify the distinction between access during good faith security research versus a reportable data breach.
The biggest reason (42%) preventing hackers from disclosing valuable vulnerability information is that an organization does not have an easily discoverable method of reporting a vulnerability. Examples would include a readily searchable Vulnerability Disclosure Program, security.txt file, etc. Those bugs could potentially have a detrimental effect on your business and brand so you want to know about them. If you want to know about your vulnerabilities, lower your breach risk, and to get ahead of any surprise submissions from hackers, developing a clear Vulnerability Disclosure Policy is the first step. Get started on your vulnerability disclosure journey.