The Dutch government has published guidelines to encourage the responsible release of security flaws.
The move is aimed at clarifying the process of responsible security vulnerability disclosure to improve relations between security researchers and commercial software producers.
The Dutch National Cyber Security Centre (NCSC) said security researchers and ethical hackers plan an important role in security by finding vulnerabilities in computer software and systems.
However, the NCSC said security researchers are sometimes reluctant to disclose vulnerabilities to companies.
Read more about vulnerability disclosure
- Application vulnerability disclosures rise, Microsoft finds
- Katie Moussouris of Microsoft on vulnerability disclosure, ISO standard
- Oracle security advisory addresses Black Hat database flaw disclosure
- RSA 2011: Microsoft promotes co-ordinated vulnerability disclosure
- Microsoft calls for responsible disclosure of security flaws
- Black Hat 2010: Microsoft calls for co-ordinated vulnerability disclosure
- Private market growing for zero-day exploits and vulnerabilities
- Is a full vulnerability disclosure strategy a responsible approach?
- Microsoft SIR finds decline in vulnerability disclosures, sharp rise in Java exploits
Instead, vulnerabilities are disclosed through public channels, but this creates problems because security vulnerabilities are revealed before they can be fixed, the NCSC said.
The guidelines are designed to provide organisations with a framework to create their own policies on responsible disclosure.
The guidelines encourage organisations, including governments, to create a standardised online form for reporting vulnerabilities.
The NCSC believes reporting should take place directly between the person who discovers a security vulnerability and the organisation concerned, but it will act as an intermediary if necessary.
Dutch authorities said the guidance does not affect the current legal framework. This means even if organisations agree not to prosecute hackers who follow rules on disclosure, the Dutch Public Prosecution Service will retain the option to go to court if it believes crimes have been committed.
Security researchers and ethical hackers typically complain that software producers are unresponsive to vulnerability reports beyond Microsoft and a few other top suppliers.
In mid-2010, Microsoft introduced an initiative aimed at promoting what it calls co-ordinated security disclosure, in an attempt to end the debate over the merits of responsible disclosure versus immediate, full disclosure by researchers.
The initiative is aimed at explaining to security researchers that Microsoft, like most other software suppliers, would like to know about vulnerabilities and work out ways to best protect customers before a vulnerability is disclosed.