Dutch government publishes security flaw disclosure guide

The Netherlands has published guidelines to encourage the responsible release of security flaws

The Dutch government has published guidelines to encourage the responsible release of security flaws.

The move is aimed at clarifying the process of responsible security vulnerability disclosure to improve relations between security researchers and commercial software producers.

Dutch security minister Ivo Opstelten plans to encourage the use of the responsible disclosure guidelines in government, according to the Wall Street Journal.

The Dutch National Cyber Security Centre (NCSC) said security researchers and ethical hackers plan an important role in security by finding vulnerabilities in computer software and systems.

However, the NCSC said security researchers are sometimes reluctant to disclose vulnerabilities to companies.

Read more about vulnerability disclosure

Instead, vulnerabilities are disclosed through public channels, but this creates problems because security vulnerabilities are revealed before they can be fixed, the NCSC said.

The guidelines are designed to provide organisations with a framework to create their own policies on responsible disclosure.

The guidelines encourage organisations, including governments, to create a standardised online form for reporting vulnerabilities.

The NCSC believes reporting should take place directly between the person who discovers a security vulnerability and the organisation concerned, but it will act as an intermediary if necessary.

Dutch authorities said the guidance does not affect the current legal framework. This means even if organisations agree not to prosecute hackers who follow rules on disclosure, the Dutch Public Prosecution Service will retain the option to go to court if it believes crimes have been committed.

Security researchers and ethical hackers typically complain that software producers are unresponsive to vulnerability reports beyond Microsoft and a few other top suppliers.

In mid-2010, Microsoft introduced an initiative aimed at promoting what it calls co-ordinated security disclosure, in an attempt to end the debate over the merits of responsible disclosure versus immediate, full disclosure by researchers.

The initiative is aimed at explaining to security researchers that Microsoft, like most other software suppliers, would like to know about vulnerabilities and work out ways to best protect customers before a vulnerability is disclosed.

Read more on Hackers and cybercrime prevention