Belgium Is Unsafe for CVD
10 months ago
- #Legal Risks
- #Cybersecurity
- #Belgium
- The author recounts a negative experience with coordinated vulnerability disclosure (CVD) in Belgium, leading them to avoid future engagements.
- Belgium's legal requirements for reporting vulnerabilities are strict, including tight deadlines (24 hours for initial report, 72 hours for full details) and mandatory secrecy without CCB permission.
- The author faced stress and uncertainty due to unclear legal rights, secretive CCB policies, and threats of lifelong secrecy obligations.
- Multi-stakeholder CVD is practically impossible in Belgium if one affected party is Belgian, due to the legal constraints on disclosure.
- The author concludes by stating they will avoid investigating vulnerabilities in Belgian systems in the future to prevent legal risks.