Coordinated Vulnerability Disclosure is the responsible and collaborative disclosure of vulnerabilities in that organization's ICT systems between the reporter (the ethical hacker) and the organization. Anyone can report a vulnerability to a company, government agency or other organization.
Individuals who seek out such vulnerabilities are also known as ethical hackers. After a report, the organization has the opportunity to resolve the vulnerability and prevent the vulnerabilities from being exploited by third parties. Reports of vulnerabilities contribute to the security and continuity of ICT systems. On the one hand by resolving vulnerabilities, on the other hand by contributing to the general ICT security awareness of organizations within and outside the Netherlands.
The Attorney General's Openbaar Ministerie believes it is important that ethical hackers can continue to find and report vulnerabilities so that ICT systems can be made more secure. We encourage organizations to establish policies on reporting vulnerabilities in their ICT systems in CVD policies.
Openbaar Ministerie expect ethical hackers to have familiarized themselves with an organization's CVD policy or consulted the National Cyber Security Center's "Coordinated Vulnerability Disclosure Guide" before starting to search for and report vulnerabilities.
If the actions of an ethical hacker are reported by an organization that does not have a CVD policy, that is not grounds for the Openbaar Ministerie to immediately designate the ethical hacker as a suspect. However, an investigation may be initiated to see if there was indeed ethical hacking. In assessing whether to prosecute an ethical hacker, CVD's contribution to a secure digital world will weigh heavily.
In principle, if an ethical hacker finds a vulnerability in an organization's IT system and reports it to the organization in question, no criminal investigation is launched.
To determine whether CVD/ethical hacking has occurred, the prosecutor will assess three factors:
Was action taken in the context of a substantial social interest?
Was there proportional action (or in other words, did the hacker not go beyond what was necessary to achieve his goal)?
Has the subsidiarity requirement been met (or in other words, was/were there no less far-reaching way(s) to achieve the goal intended by the hacker)?
Source: https://www.om.nl/onderwerpen/cybercrime/coordinated-vulnerability-disclosure---ethisch-hacken, accessed May 2, 2024.
