The Dutch government's National Cyber Security Centre (NCSC) has published guidelines for ethical hackers seeking to disclose security vulnerabilities in a socially responsible way, PC World reported. The government wants the guide to provide a framework that will help organisations create their own policies on responsible disclosure. While the released guidance does not affect the existing legal framework, it encourages parties to work together to make IT systems safer, the NCSC said.
Companies and governments could for example offer a standardised online form that can be used by security researchers to notify an organisation if they found a vulnerability. The company and the researcher can also agree to disclose the vulnerability within a certain time frame. An acceptable period for the disclosure of software vulnerabilities is 60 days, while a reasonable period to disclose harder to fix hardware vulnerabilities is six months.
When an organisation decides to follow these guidelines, it should include in its policy that it will not take legal action against ethical hackers who comply with the rules. Hackers should also refrain from altering the system and not repeatedly access the system.
