Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch Gov't Offers Guidance For Responsible Disclosure Practices

Posted by Soulskill on from the here-is-how-to-do-your-job dept.

An anonymous reader sends this quote from an IDG News report: "The Dutch government's cyber security center has published guidelines (in Dutch) that it hopes will encourage ethical hackers to disclose security vulnerabilities in a responsible way. The person who discovers the vulnerability should report it directly and as soon as possible to the owner of the system in a confidential manner, so the leak cannot be abused by others. Furthermore, the ethical hacker will not use social engineering techniques, nor install a backdoor or copy, modify or delete data from the system, the NCSC specified. Alternatively a hacker could make a directory listing in the system, the guidelines said. Hackers should also refrain from altering the system and not repeatedly access the system. Using brute-force techniques to access a system is also discouraged, the NCSC said. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization. The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said."

37 comments

  1. speaking of responsibility... by terec · · Score: 5, Interesting

    "Responsible disclosure" is nice. But what about holding banks and businesses responsible for the harm they are causing when their security practices fail? What about the worry and wasted time they cause to customers? What about compensating the victims of identity theft due to sloppy security practices? Businesses seem to be able to screw up arbitrarily without a lot of consequences right now.

    1. Re:speaking of responsibility... by AliasMarlowe · · Score: 1
      Ftom TFS:

      The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization.

      This sounds like NEVER for the disclosure date, because either (i) the vulnerability won't get fixed if it's not known to the public, and (ii) even if it does get fixed, why should a company agree to expose the fact it screwed up?

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    2. Re:speaking of responsibility... by Anonymous Coward · · Score: 0

      I think the question was rhetorical...

    3. Re:speaking of responsibility... by Synerg1y · · Score: 1

      On the flip side of that, if a hacker is caught penetrating a system, they can go to jail, there was a story on here a little while ago about a guy who did just what these guys are talking about and got charges pressed against him by the company who's systems got penetrated by him. Best bet is to publish the vulnerability on forums anonymously & let it circulate around till somebody from the organization catches wind.

  2. Been Done by shawnhcorey · · Score: 5, Insightful

    "Responsible disclosure" means "We don't want to bother fixing it." If the vulnerability is not make public, it is never fixed. This has been done many times before. The only way to get them fixed is to make them public.

    --
    Don't stop where the ink does.
    1. Re:Been Done by sofar · · Score: 5, Informative

      Being a native dutch speaker, I read the entire guidelines in Dutch, and they include disclosure terms to encourage companies to rapidly fix (60 days) issues, and make agreements with the discloser about the disclosure.

      This is common practice and rather well accepted practice already. So, in essence, the document encourages the public disclosure. Any company that wishes to ignore the vulnerability will have their asses handed to them anyway, so this guideline actually helps - security researchers can use it to show to companies that they are acting in good faith as long as companies play by the same rules.

      So personally, I highly encourage governments to do something like this.

      This Dutch variant is interesting in the sense that it creates a possible middle man that can mediate and monitor the disclosure. This protects disclosers, and puts more pressure on companies to abide by these standards. Not the other way around.

    2. Re:Been Done by CBravo · · Score: 1

      In four years I only once had a security researcher contact me about a problem. I really welcom that. On the other hand I caught dozens of wannabe's, customers and pro's who do not even bother to contact us before they scan our web application (which is not allowed in Holland). A request to our system is either valid or you are trying to do bad ****

      --
      nosig today
  3. There are only two things I hate by Tator+Tot · · Score: 3, Funny

    There are only two things I hate in this world:

    People who are intolerant of other people's cultures... and the Dutch.

    --
    To all you virgins: Thanks for nothing.
    1. Re:There are only two things I hate by sofar · · Score: 1

      Two thoughts on your message:

      1) you must hate yourself.

      2) the Dutch will still love you. :^D

    2. Re:There are only two things I hate by PlusFiveTroll · · Score: 1

      Wooooossssshhhhh

      http://www.imdb.com/title/tt0295178/quotes

      Nigel Powers: All right Goldmember. Don't play the laughing boy. There's only two things I hate in this world. People who are intolerant of other people's cultures and the Dutch.
      Goldmember: What? Take the fahza away! Dutch hater! And now, it is time to say goodbye. Dr. Evil's orders. Which, for you, is bad news bears,
      [talks in a deep vioce]
      Goldmember: Walter Matthau.

  4. Disclosure only with consent? by the_B0fh · · Score: 3, Insightful

    Seriously? Who's going to consent?

    Also, where's the responsibility on the part of the organization to show that they *HAVE* a secure coding practice, they don't simply outsource $2 coders, and they have a program in place to review security issues?

    1. Re:Disclosure only with consent? by sofar · · Score: 2

      The documents create a neutral middle-man organization that can mediate between companies refusing to cooperate and disclosers. It effectively puts irresponsible companies directly in the line of sight of the government and thus legal action. What's not to like?

    2. Re:Disclosure only with consent? by Len · · Score: 1
      What's not to like? How about a government agency enforcing a company's decision to conceal and not fix vulnerabilities? As far as I can see, there's no requirement that a company must agree to disclose at all; and white-hats who don't follow the guidelines are not offered any legal protection.

      We've seen time and again what happens when "responsible disclosure" is abused to allow security holes to go unfixed and exploited. This is big step backwards.

    3. Re:Disclosure only with consent? by sofar · · Score: 1

      The problem is that enforcing public disclosure by the organization itself is equivalent to self-incrimination. Think about that for a second. Do you really want to put that in law? In the US, it would be thrown out immediately as unconstitutional.

    4. Re:Disclosure only with consent? by Mattcelt · · Score: 1

      The 5th Amendment (which, for those who may not know, is the US Constitutional amendment forbidding the government from forcing individuals to self-incriminate) only applies to people.

      Oh, wait. Corporations are "people" now, too. It's official. The world is insane. I think I shall have to build an asylum to keep it in and prevent it from hurting itself.

      How do I change my /. username to Wonko?

    5. Re:Disclosure only with consent? by Anonymous Coward · · Score: 1

      All big Dutch telco's have such a policy in place already. I've spoken to quite a few organisations that are interested in adopting a responsible disclosure policy including banks and a security company. It is my experience that most companies who value security want this.

  5. Re:BUT WHAT CAN YOU EXPECT FROM DOPERS ?? by Anonymous Coward · · Score: 1

    Fewer dope heads than in the US!

  6. How Bout Noh! by Anonymous Coward · · Score: 0

    You crazy Dutch bastards!

    http://www.youtube.com/watch?v=lITBGjNEp08

  7. Sounds fairly reasonable. by Anonymous Coward · · Score: 0

    Do they have any suggestions for what to do if a vulnerability is discovered and reported to the involved organization, and the organization ignores it?

    That seemed like one of the trickier things to work out with regard to responsible full disclosure. Organizations are often opaque about their security priorities and it can leave researchers on the outside wondering about whether a fix is in the works for a reported problem or not. As vulnerabilities tend to affect more people than the organization itself, whether because they publish software or manage private information, it sometimes presents an ethical dilemma to security researchers about when to go ahead and report a problem to the public without the blessing of the organization involved.

    1. Re:Sounds fairly reasonable. by sofar · · Score: 4, Interesting

      The guidelines (dutch PDF) have a whole chapter outlining the responsibilities of the organization receiving a disclosure. They include guidelines for solving the issues (60 days for software, 6 months for hardware), reporting back progress to the discloser, allowing a discloser to report the vulnerability to a larger audience as part of the NCSC (government). Combined, these guidelines are an effective tool for security researchers to play by the rules and put pressure on companies together with others.

      Researchers are encouraged to disclose to the NCSC as well, which means many security experts will be able to put pressure on companies not fixing vulnerabilities according to these rules.

    2. Re:Sounds fairly reasonable. by Anonymous Coward · · Score: 0

      This looks really well thought out.

    3. Re:Sounds fairly reasonable. by Jiro · · Score: 1

      What happens if the organization doesn't follow those guidelines? Is the hacker then permitted to disclose (in which case the Slashdot summary is inaccurate) or is the hacker still required to stay quiet?

  8. Time limit by Todd+Knarr · · Score: 2

    The only way I'd accept the "only disclose to the owner" condition is if it included a time limit within which the owner must either fix the vulnerability or disclose the vulnerability to the public, and if the owner fails to meet the limit the confidentiality is lifted and the hacker is free to disclose the vulnerability himself. If software makers want their mistakes kept confidential then the cost is a binding commitment to fixing those mistakes, and the penalty for failing to meet their commitment is that the hackers are freed from theirs.

    1. Re:Time limit by sofar · · Score: 3, Informative

      As I posted before, the guidelines mention explicit timelines that should be followed. 60 days for software, 6 months for hardware.

  9. Re:but... by sofar · · Score: 2

    Most likely scenario for Security, Dick:

    1) Criminality. Failure to ensure funding from reputable companies forces these folks into blackmail or abuse of disclosure process. Eventually, they end up behind bars.

    2) Corrective collective: Companies never give out freebies, but well-behaved security researchers have far more fun not being chased by police and get all the chicks. This creates a role model. You should see Bruce Schneier at rave parties.

  10. define software, define hardware by Mister+Liberty · · Score: 1

    And what about a discovered social engineering v11y.

  11. Directive ethical hacking solves nothing by wabrandsma · · Score: 4, Informative

    The problem is that the definition for hacking is overly broad. If you enter an URL in the address bar, and change just a serial number in the URL, it is considered hacking. Like finding Queen Beatrix's Christmas speech before it was officially published http://www.nrc.nl/nieuws/2012/12/25/hacker-kersttoespraak-van-geen-kwaad-bewust-tijdens-strafbare-actie/ (in Dutch). Or proving access to medical files by MP Henk Krol http://nos.nl/artikel/447718-krol-vervolgd-om-hacken-dossiers.html (in Dutch).
    IT journalist Brenno de Winter calls the guidance useless. "If hackers first have to report the vulnerability, they lose their anonymity without having a guarantee that they will not be prosecuted. And even if a company promises that it will not press charges, the Public Prosecutions Department can start a case." Link here: http://www.trouw.nl/tr/nl/5133/Media-technologie/article/detail/3372108/2013/01/04/Richtlijn-ethisch-hacken-lost-niets-op.dhtml (in Dutch).

    1. Re:Directive ethical hacking solves nothing by the_brobdingnagian · · Score: 1

      The problem is that the definition for hacking is overly broad.

      It is clearly advised by the published guidelines that an organisation should define for themselves what they consider acceptable and what's not acceptable. An organisation might, for example, rule out social engineering attacks or DDoS.

      IT journalist Brenno de Winter calls the guidance useless. "If hackers first have to report the vulnerability, they lose their anonymity without having a guarantee that they will not be prosecuted. And even if a company promises that it will not press charges, the Public Prosecutions Department can start a case."

      A published responsible disclosure policy is a legaly binding document. If a organisation states that it find's certain behavior acceptable and even clearly states that it won't take legal action against people holding themselves to that document they have to follow that promise. As for the public prosecutor there are two parts that will protect responsible hackers. The first is the fact that the crime of hacking (computervredebreuk in Dutch law) requires the access gained by the hacker to be unlawful (wederrechtelijk). When a company states that certain behavior is acceptable, the legal test for wederrechtelijkheid will fail and the public prosecutor will have no case for the crime of computervredebreuk. Further more, the Dutch minister Opstelten has promised to talk to the public prosecutor about how they will handle responsible disclosure cases. Given the well thought-out contents of the released documents and the clear intentions of the gouvernment I have no reason to doubt the results of these talks.

  12. Re:BUT WHAT CAN YOU EXPECT FROM DOPERS ?? by Anonymous Coward · · Score: 0

    But not running the country. Instead, they are in the gutters, and in your house while you are away working hard. They migrate to cities like Portland and Seattle. Many sickos. Disgusting. I can't imagine a whole country like that, no matter how small, how insignificant, or how odd the footwear.

  13. NO GUARANTEE you will not be prosecuted! by Anonymous Coward · · Score: 1

    That's the only thing that really counts, and it's missing. The Public Prosecutions Department has absolutely no obligation to follow these guidelines.

  14. Only with consent = ENDANGERING CUSTOMERS! by Anonymous Coward · · Score: 1

    Companies will never give consent, and will only use that, to hide from customers, how shitty their software is! In other words: FRAUD!

    And I want to know that there is a security hole, and close it, *right when it is found*! Not half a year later, when the fix is out, after some Russian kid used it for his botnet for *months*! That is *deliberately* endangering me! Another CRIME. (And on top of it, assistance in the botnet operator's crimes!)

    NOT ACCEPTABLE! From the security standpoint of the customer.

  15. hacker behavior by Vincy · · Score: 1

    The article lists a number of actions that the hacker shall not do. Most are to be expected, such as not modifying the system, not bringing it down, not exposing private information. The first and last points in the list are strange though:

    • Not using social engineering to gain access
    • Not using brute forcing to gain access

    Eh? Why are these not valid attack vectors?

  16. Effect after a court of justice ruling by Anonymous Coward · · Score: 0

    I think you can see the effects of these guidelines after a company decides to prosecute an ethical hacker (provided the hacker has followed the directive) and the court of justice has favored the ethical hacker. After that _first_ directive-following ethical hacker has a favored court ruling a general consensus in the commercial world will make it's first mentality swing among ICT dept's. I agree these guidelines do not solve anything, but they can at least service the community of companies and ethical hackers that are open to this way of 'doing business'. At least now there are guidelines to hold on to (or shoot at).

    I wonder which directive-following ethical hacker is brave enough to willingly to put him/herself out on the line and which company is encouraged enough to decide to prosecute that hacker.