Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
How can national policies support the development and implementation of coordinated vulnerability disclosure?
Cyber Security: A Peer-Reviewed Journal,
7
(3),
253-261
(2024)
Abstract
Every computer system or network may contain vulnerabilities. Therefore, vulnerability handling and disclosure are key elements of the cyber security technical, operational and organisational risk management measures of every organisation that develops or administers network and information systems. Coordinated vulnerability disclosure (CVD) policy or bug bounty can enable organisations to work together with well-intentioned people (ethical hackers) who look for and report vulnerabilities. The fear of being sued or the limited scope of the CVD can prevent such a collaboration. In the context of the implementation of the NIS2 directive, member states of the European Union will have to address the challenges posed by CVD processes. As a first attempt, Belgium has already adopted a national policy which includes a legal framework protecting vulnerability reporters and a coordinator role for its national computer security incident response team (CSIRT).
Keywords: cyber security; coordinated vulnerability disclosure; ethical hacking; vulnerability management
The full article is available to subscribers to the journal.
Author's Biography
Valéry Vander Geeten is the Head of the Legal Department of the Centre for Cybersecurity Belgium. He also coordinates the national implementation of the European directive on Network and Information System (NIS) in Belgium. Valéry holds a law degree and a LL.M degree in public and administrative law, both from the University of Brussels (ULB). He is a former lawyer at the Brussels Bar and teacher assistant at the ULB. Valéry’s interests are around cyber security, cybercrime, data protection, IT and public laws. He has also acquired a dedicated expertise in the field of information security management, vulnerability management and coordinated vulnerability disclosure (CVD) processes. The present contribution has been especially inspired by discussions about CVD between national experts in the NIS European Cooperation Group.
