Guideline for responsible disclosure of IT vulnerabilities

Persons who report an IT vulnerability have an important social responsibility, but they do have to handle this responsibility in a responsible manner. This means that they should not cause unnecessary damage to the information systems of organisations, should not go further than necessary to demonstrate the vulnerability and postpone disclosing the vulnerability until the organisation has resolved the problem. On the other hand, the organisations will remain primarily responsible for the security of their information systems and (software) products, but there has to be a quick and efficient response to reports in order to resolve vulnerabilities and arrangements have to be made concerning any disclosure and information to other parties.

These are a number of starting points for the so-called 'Guideline for responsible disclosure', which was sent to the House of Representatives today by Minister Opstelten of Security and Justice. This framework is intended as a manual to make it possible to report and handle vulnerabilities in IT systems and products in a responsible manner. Organisations can use the manual to draw up their own policy in the field of responsible disclosure. Minister Opstelten also announces in the letter to Parliament that he will promote the application of the framework within the government of the Netherlands. 

Responsible disclosure thus concerns the actions of both the reporter and the organisation. Specifically, this means that an organisation publicly endorses the responsible disclosure policy. The organisation and the reporter will also conclude agreements concerning the term within which the vulnerability will be resolved, the manner in which they will communicate with each other and any disclosure and further communication with the IT security community. This will also allow others to draw lessons from the vulnerability concerned. Once an organisation has developed policy in this field, it should also be clear how it handles reports and that no police report will be filed if the reporter has acted in accordance with the agreements. The independent power of the Public Prosecution Service to proceed with prosecution if the suspicion exists that a crime has been committed will continue to exist. 

The Ministry of Security and Justice worked together with reporters and public and private organisations on the formation of this framework. After all, there is a great deal of knowledge available within the IT security community concerning vulnerabilities and the manner in which these can be resolved. There is also the will to share knowledge and to contribute to a safe and vital digital society. Promoting closer cooperation and forming new coalitions between public and private parties with the IT security community is therefore very important. Where necessary, it will be the responsibility of the National Cyber Security Centre (NCSC) to bring parties together and share information on vulnerabilities so that other parties can implement measures.