The person who discovers the vulnerability should report it directly and as soon as possible to the owner of the system in a confidential manner, so the leak cannot be abused by others. Furthermore, the ethical hacker will not use social engineering techniques, nor install a backdoor or copy, modify or delete data from the system, the NCSC specified. Alternatively a hacker could make a directory listing in the system, the guidelines said.
Hackers should also refrain from altering the system and not repeatedly access the system. Using brute-force techniques to access a system is also discouraged, the NCSC said. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization. The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said.
While the responsible disclosure procedure is in principle a matter for the detector and the organization, the NCSC can act as an intermediary if a vulnerability is reported to it directly.
"I think this is a very good thing, especially when the NCSC acts as an intermediary," said Ronald Prins, CEO of the Dutch security firm Fox-IT. One of the problems ethical hackers face is that they have a hard time being taken seriously if they report a vulnerability to a company, and they have a hard time reaching the right person, he said.
If an organization is contacted about a security vulnerability by an official government organization like the NCSC, it will probably take the warning more seriously, he added. Online forms used to report the vulnerability directly to the right person within an organization could also help this process, he added.
While there is little flexibility given to ethical hackers within the guidelines, Prins said he understood why the government did that. It prevents ethical hackers from crossing the line, he said.
"I see that some people are disappointed" because the Public Prosecution Service is still allowed to prosecute when they deem that necessary, Prins said. But it is impossible not to do this, he added. "I would be very pleased if someone reports a problem that he found," he said. But if that person spends days pounding his systems to get in, Prins would definitely consider filing a legal complaint, he said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org