Both researchers and the affected organization have a social responsibility
The Netherlands’ Ministry of Security and Justice, through the country’s National Cyber Security Center (NCSC), has published guidelines for the responsible disclosure of vulnerabilities.The government explains that researchers who report information and communications technology vulnerabilities have “an important social responsibility,” which is why there must be a responsible way for them to achieve this task.
Security experts are advised not to cause any unnecessary damage to prove their point and to wait for the affected organization to address the issues before making their findings public.
On the other hand, officials also emphasize the fact that the organizations themselves are primarily responsible with ensuring that their products are properly secured. For this they must be efficient when it comes to responding to vulnerability reports.
The ministry notes that the organization impacted by the security issue and the individual or the firm that discovers it must agree on certain terms, including how the vulnerability will be addressed and how it will be disclosed.
Disclosure to the IT security community is also important because others could learn something from it.
While organizations are encouraged not to pursue legal actions against researchers who responsibly disclose vulnerabilities, the Public Prosecutor maintains the right to prosecute if crimes have been committed.
The recently published guidelines have been created as a result of collaboration between the Ministry of Security and Justice and experts from both public and private organizations.
The ministry highlights the fact that it’s crucial for the IT security community to share knowledge on vulnerabilities to contribute to a safe digital environment.
If necessary, the NCSC – which primarily focuses on the government and the country’s critical sectors – can act as an intermediary that brings all the involved parties together and handles the sharing of information.