FloorWhy I think Belgium is unsafe for CVD. Belgium government has put lifelong secrecy obligations onto me, no right to object and a secret policy for determining who gets an exception. All because I accidentally noticed a vulnerability. https://floort.net/posts/belgium-unsafe-for-cvd/
Update: "Wij willen u meedelen dat u zeer binnenkort een positieve beslissing (rekening houden van de informatie gekregen van [redacted]) zal ontvangen waarmee u toestemming krijgt om de informatie over uw melding van kwetsbaarheden openbaar te maken."
How I enjoy administrative procedural stuff... I am allowed to object against the formal decision to give me permission to publish my findings. Also CCB wasn't joking when they said "very soon": 47 minutes.
And I can now say that it was a vulnerability at the Belgian data protection authority (Gegevensbeschermingsautoriteit). More details to follow at my WHY2025 talk and later on my blog. https://program.why2025.org/why2025/talk/3R8JLD/
Molenaar@floort Hopefully just in time for your talk.
@molenaar The talk will be ok without the specific vulnerability. But this helps to add another positive note. Roughly a month and a half between action taken to prevent exploitation and permission to publish is still far from ideal if I would have neede to warn others too.
Ygor@floort This Belgian law reads like an SCP entry. Absolutely unhinged.
@ygor Now I know what the SCP Foundation is. π€£
@floort I guess what I really meant to say is that it effectively turns any vulnerability involving Belgium into a cognitohazard. SCP is the first thing that came to mind because they have a lot of entries like this, one of the most well-known being SCP-096, which kills anyone who sees its face, even if it's in a photo or video. They also often include complicated procedures you have to follow to avoid a tragic fate, so there's that.
fedops ππ@floort IANAL but I don't see how any country can claim to have a national law applying to a non-resident and non-citizen. Somebody didn't think this through.
@fedops I am not a lawyer either. I specifically asked CCB about this and they did claim the obligations apply to me. And as it's formulated to me I can't even get legal advice where I can explain the details of the case. Not sure how to solve that.
@floort yeah. I'd maybe try reaching out to EFF Europe and see what they think. They might be able to get a tech lawyer to have a look.
JanC@fedops @floort It seems like one of the parties here was a Belgian organisation, so the law certainly can apply.
Whether or not such a law is enforceable is another thing (and might depend on e.g. mutual or multilateral treaties between the countries involved).
And, as Inti said, the question is also whether or not there ever was a crime committed.
@floort AFAICT the law & permission from CCB is only relevant when you need protection for violating the law, and not when you accidentally stumble onto something.
E.g. actively bypassing authentication in unintended ways vs. finding that someone accidentally exposed a document by checking the wrong option in a CMS.
Itβs the difference between reporting that you found a way to open a car (e.g. with a replay attack), and reporting that someone left their car door open.
@janc That was my understanding too. But that is not how CCB explains it on their website. And I also called them to ask and they said I reporting was a requirement for me.
@janc I have quite extensive written communication with them about this distinction. That was mostly ignored. They could have responded at any point to that. Instead the focus was on not giving me permission to break confidentiality.
@janc Their website does not describe it as a condition to receiving protection. They describe is as obligations. https://ccb.belgium.be/nl/cert/bekendmaking-van-kwetsbaarheden-aan-het-ccb
@floort IANAL but when reading the law , it seems like after you reported it, CCB is *required by law* to *facilitate* (e.g. negotiate on your behalf) the responsible *disclosure*, and thus refusing that (after the security issue is fixed) would mean *they* violate the law regulating their existence?
Maybe @intidc knows a lawyer who can help explain thisβ¦
@floort Also, article 23 of the law only says that reporting by you is mandatory to avoid being accused of a crime. The organisation where the security problem happened might still have to report to CCB in a case like yours (e.g. if private data was exposed or other entities might be at risk because of what happened).
@janc The problem is that I'm not entirely confident in how to interpret those laws. And even if I think I did the right thing others might not. And on top of that: after explaining my case CCB still said I had the obligation to report. They might be wrong. But how do I know?
Wladimir Palant@fedops Well, obviously any country can and does have such laws. It doesnβt matter who you are or where in the world you are, if you hack into a server located in Belgium this act falls under Belgian jurisdiction. And the baseline here is: itβs an act punishable by law.
Now reasonable laws should have exceptions for security research. At the very least, anything thatβs on your computer should be considered fair game for security research (yes, I am aware that this isnβt always true either).
When it comes to remote systems, things get really complicated however. Theory: any βnormalβ use of the system (whatever a regular user could do) should be an exception. But even that is hard to define, and lawmakers regularly fail there.
And for anything beyond that, you normally need a permission by the owner of the system. Which regularly comes with limitations on your disclosure options. Because otherwise you operate within a grey area β this kind of security research is rarely persecuted unless actual damage has been done, but it still could be.
Now whether it is wise to put strict reporting obligations on the researcher as opposed to the affected organization is an entirely different matter. As it is, this law will be broken quite regularly. And Belgium will usually just accept that, because thatβs the only reasonable course of action. As opposed to persecuting well-meaning individuals for their lack of knowledge, despite them not having done any real harm.
@floort Yep, thatβs what I understood. Itβs something that should fall under βnormalβ use of a system. Still, this being a remote system things are complicated unfortunately and depend on the jurisdiction - if you choose not to ignore the potentially applicable laws. Itβs not like these laws are likely to be applied, but in theory they could be. Usually the only scenario where such laws are ever pulled out is when the affected organization decides to play the victim and blame you. Itβs very rare but it happens.
Jan Boddez@janboddez @intidc I can't speak about other people's opinions, but most big bounty platforms enforce non disclosure on most of their programs as well. https://floort.net/posts/are-bug-bounties-harmful/
Are bug bounties harmful?
TLDR: It depends. People who discover bugs and security vulnerabilities and want to improve security by publishing about their findings generally have a substantial task managing competing interests in the process. Publishing your findings can help others learn from that single mistake by installing a known patch, learning what mistakes not to make when building systems, knowing what vendors to avoid or taking other measures. However publishing can also introduce risks by informing people how to abuse vulnerabilities. Itβs generally considered good practice to inform those who you know are vulnerable before publication to allow them to take steps to prevent harm. That process can be more time consuming than finding the bugs themselves and can even present a risk for the one reporting the bugs, for example by companies threatening legal action.
Inti De Ceukelaire@janboddez @floort not sure if I want to be involved in what would be a lengthy discussion. I agree on a lot of things with Floor but I guess our approaches are different, which is fine. I do like some more nuance to the situation, I actually think that, despite some obvious red tape and bureaucracy which is luckily eroding as we speak, I think Belgium has become more progressive here. I am going to explain my viewpoint but am not seeking a debate:
@janboddez @floort my interpretation of the law is that it decriminalizes a crime by law (active testing, sending payloads to a system, potentially intruding in a third party system) if you report the vulnerability ethically. If this is not the case I have found them to be much more lenient (hacking self-owned products or non-cloud, misconfigs, business logic,β¦). I recently involved the press in a disclosure and CCB even helped me communicate it properly.
@janboddez @floort I think the bottom line is that if you follow the law by the letter and then ask CCB for explicit permission, yes, you will be disappointed. I do not think this is the fault of CCB but rather a (slowly) changing system. I think both Floor and I are putting pressure to change things, but our means are very different. Either way canβt hurt. But I personally disagree with the statement that Belgium is unsafe for CVD. Perhaps imperfect, like most of Europe.
@intidc @janboddez If you have an approach to do CVD that also allows for multi stakeholder CVD and where CCB reporting and secrecy requirements are not a significant obstacle I would love to know and I'll include it in an update to my post. Edit: I also do not want to blame CCB. My criticism isn't about the choices made in my situation, but about the underlying law and policy.
@floort @janboddez I guess that would really depend on the situation. I think itβs important to make the distinction between breaking into someone elseβs computer (cloud) or some on-prem version for which you can get a CVE. In the latter scenario as there is no crime the reporter has much more control. For business logic flaws I personally donβt bother with βguidelinesβ as IMO most of the testing canβt really be considered illegal (the result might be, fraud/privacy violation)
@intidc @janboddez I asked CCB about the legal requirements in my specific case. They said I fall under the reporting requirement. Your suggestion is violating the legal requirements. That's fair, given the practical implications. But that would make my lawful attempt to help unlawful and therefore less safe for me.
@floort @janboddez I personally think (I am not affiliated with CCB or speaking on behalf of them, personal opinion) that when you would ask them, they would likely side with the more conservative answer to be sure. So I donβt - perhaps thatβs the Belgian way of doing it (but then also donβt expect me to come help me when I miscalculated). Iβm not even sure if they have actual legal grounds to approve such a disclosure request (which could be the bigger problem here)
@intidc @janboddez The policy for when to give permission to disclose is secret. But they do have a choice. You just can't appeal. Or know when it makes sense to ask again. Or know when to expect that they will grant permission. CVD is impossible if the reporter is not in control of when to disclose.
@floort @janboddez with the policy being unpublished I actually never expected there is a policy (yet). I always thought it was a strategic move to include at least the option it so they could expand it later on, once there was more political buy-in (which I do sense has increased). Perhaps their policy is that they can approve it for system they own or government systems, but Iβm not sure if they have a clear legal basis for third-party systems
@intidc @janboddez CCB over de procedures voor het geven van toestemming: "Bovendien, zoals aangegeven, houdt de interne operationele procedure ook verband met de veiligheid van de bevolking, de openbare orde en de veiligheid van het land, aangezien de CCB steeds haar activiteiten dient te kunnen uitoefenen. Kennis van de details van deze procedures kunnen voor negatieve doeleinden worden aangewend."
@intidc @janboddez Whatever the policy is: CVD can't work if a single party can prevent disclosure. If disclosure is prevented it's not CVD.
@intidc @janboddez you can still be of the opinion that reporting vulnerability is a net positive. I won't deny that. But that's not CVD. I'm saying the current situation is unsafe for CVD. Not that it's unsafe for reporting vulnerabilities.
@floort @janboddez ik denk dat de nuance daar zit dat dat ze denk ik geen disclosure preventen in dat soort zaken maar wel de impliciete bescherming kunnen achterwege laten indien je de (vrij conservatieve voor generalisatie purposed) regels niet zou volgen. Uit interesse: het in NL zo dat als ik morgen een SQL injection rapporteer in staatsveiligheid ik daar altijd over kan schrijven, ook als het een bvb structureel probleem zou zijn dat ze aan het aanpakken zijn?
@intidc @janboddez In Nederland hebben we geen geheimhoudingsplicht voor het ontdekken wat je mag zien. We hebben wel beleid waarbij je niet vervolgd wordt als je strik genomen iets doet wat strafbaar is om het lek te ontdekken, maar je doet dat verantwoordelijk (zoals CVD). Maar CVD omvat ook het publiceren van ongepatchte kwetsbaarheden als men niet tijdig patched.
@intidc heel erg veraanvoudigd: als ik vandaag een kwetsbaarheid ontdekt en meld, morgen is het offline, dan mag ik meteen publiceren. Overleg over de publicatie is netjes en beleefd. Zonder patch morgen publiceren zou al snel niet OK zijn, strafbaar is lastiger hard te maken. Na een maand nog geen patch en dan kan het best redelijk zijn om te publiceren.
@floort ik denk dat dit, mits het niet om strafbare feiten gaat, ook het geval is in BelgiΓ«. De legale techniciteit is denk ik dat een entiteit zoals CCB je niet altijd expliciet toestemming kan geven ookal valt het wel binnen het gedoogspectrum, maar dat is natuurlijk maar mijn interpretatie
@intidc Dat is niet hoe het CCB de wet uitlegt. Meldplicht en geheimhouding wordt getriggerd door de ontdekking, onafhankelijk van hoe je het ontdekt. Geheimhouding wordt alleen met toestemming van CCB opgeheven. Informeel accepteert CCB ook de toestemming van de verantwoordelijke instellingen met de kwetsbaarheid.
@intidc ik heb meerdere zaken die ik heb gemeld gepubliceerd zonder dat ze volledig zijn opgelost om aan te kaarten dat het niet wordt opgelost Γ©n omdat de verantwoordelijke organisatie de wet overtrad door zelf niet transparant zijn. Dat is volledig in lijn met overheidsbeleid in Nederland.
@floort was de test strafbaar? Want dan loop je in NL toch ook een risico? Voor data lekken ga ik langs twee entiteiten, CCB voor technische luik en GBA voor privacy violations die daaruit voortvloeien. CCB zal me zelden expliciete toestemming geven om te publiceren maar ik ben van mening dat ik die toestemming soms niet nodig heb
@intidc Het was niet eens echt een test. Ik zag het toevallig. Maar stel dat het wel strafbaar was geweest in Nederland dan had ik nu mogen publiceren en toch onder de CVD bescherming tegen vervolging vallen.
@floort @janboddez maar is dat niet een beetje hetzelfde dan? CVD gaat strafbare situaties zelfs expliciet niet strafbaar maken maar houdt haar handen af in andere situaties, kan ook gedoogd geacht worden dan? Want toestemming geven = niet langer gedogen
@intidc @janboddez CVD is een proces, maar bepaald niets over strafbaarheid. Het Openbaar Ministerie heeft wel beleid om niet te vervolgen wanneer CVD-normen worden toegepast. Maar de toestemming in Belgie gaat over toestemming om te mogen publiceren. In CVD gaat absoluut niet over toestemming om te publiceren. CVD gaat om het proces voor publicatie om zoveel mogelijk schade te voorkomen. Hoe je komt tot publicatie, niet of er gepubliceerd wordt.
@intidc @janboddez De wet in Belgie lijkt voor een deel op de normen die we in Nederland hanteren. Maar de aanpak is enorm verschillend met enorme verschillen in uitwerking. Van eenzijdig opgelegde beperkingen om bijvoorbeeld kritiek te kunnen hebben op instellingen zonder ook maar een proces om dat aan te kunnen vechten is in Nederland geen sprake. Ook niet als het gaat om een bank of de vergaderstukken van een nucleaire top om maar twee eigen voorbeelden te noemen. Ik mag erover vertellen.
@intidc @janboddez Overigens is de eerste helft van je opmerking meer in lijn met hoe ik de Belgische wet lees. Maar CCB legt de meldplicht en geheimhouding als een absolute plicht uit. Niet als een voorwaarde voor aanvullende bescherming.
@intidc Update: there is a policy. I have seen some details and will receive more. Appeals are possible, CCB just never formalized their refusal to give consent and didn't respond to my questions about the process. They do have legals grounds to approve (or reject) my disclosure request. More details to follow when I have full context.
@intidc @janboddez I think the core of the disagreement between me and CCB is that they treat me as a criminal that deserves some leniency under strict conditions instead of someone who wants to help voluntarily and wants to collaborate.
bazkie π©πΌβπ» bitplanes π΅@floort daar snijden ze zichzelf behoorlijk mee in de vingers. jammer!
Jeroen Baert
Steve Holden@floort thatβs what we get for electing ignorant politicians!
Orca π» | π | πͺ | π΄π³οΈββ§οΈ@floort
Something somewhat similar happened to Chinese company Alibaba Cloud over the #Log4J vulnerability. They didn't report the vuln to Chinese authority before reporting it to Apache Foundation, thus they're punished for it.
https://www.zdnet.com/article/log4j-chinese-regulators-suspend-alibaba-partnership-over-failure-to-report-vulnerability/
Something somewhat similar happened to Chinese company Alibaba Cloud over the #Log4J vulnerability. They didn't report the vuln to Chinese authority before reporting it to Apache Foundation, thus they're punished for it.
https://www.zdnet.com/article/log4j-chinese-regulators-suspend-alibaba-partnership-over-failure-to-report-vulnerability/
paul