Dutch government aims to shape ethical hackers' disclosure practices

The guidelines should enable ethical hackers, companies and governments to work together, the government said.

By Loek Essers, IDG News Service |  Security, cybersecurity, ethical hacking

The Dutch government's cyber security center has published guidelines that it hopes will encourage ethical hackers to disclose security vulnerabilities in a responsible way.

"Persons who report an IT vulnerability have an important social responsibility," the Dutch ministry of Security and Justice said on Thursday, announcing guidelines for ethical hacking that were published by the country's National Cyber Security Center (NCSC).

White-hat hackers and security researchers play an important role in securing IT systems by finding vulnerabilities, the NCSC said. However, the center maintained that security researchers are sometimes reluctant to disclose vulnerabilities to companies, instead using media outlets to announce vulnerabilities, which is an undesirable practice because it exposes a hole before it is fixed.

With the guide, the government wants to provide organizations with a framework to create their own policies on responsible disclosure. Ivo Opstelten, Minister of Security and Justice, plans to encourage a wide use of the responsible disclosure guidelines within the government, he said in a letter sent to the parliament.

While the released guidance does not affect the existing legal framework, it encourages parties to work together to make IT systems safer, the NCSC said. Companies and governments could for example offer a standardized online form that can be used by security researchers to notify an organization if they found a vulnerability, it said.

The company and the researcher can also agree to disclose the vulnerability within a certain time frame. An acceptable period for the disclosure of software vulnerabilities is 60 days, while a reasonable period to disclose harder to fix hardware vulnerabilities is 6 months, the NCSC said. When an organization decides to follow these guidelines, it should include in its policy that it will not take legal action against ethical hackers who comply with the rules, it added.

The Dutch Public Prosecution Service however will keep the option to prosecute when it suspects that crimes have been committed, the ministry of Security and Justice said.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness