These days in The Netherlands several initiatives pop-up around the issues of ethical hacking and Responsible Disclosure.
What's all the fuss about?
Last year a hacker reported a vulnerability and a data leak in a back-up server of a Dutch hospital. He claimed that he found a lot of confidential information on a server that was readily accessible from the internet. The report was made through a Dutch journalist, +Brenno de Winter.
After publishing the incident we learned that the hospital sued the hacker and for us, the security community, this was unheard of: why sue someone who reports a vulnerability? Who are the amateurs responsible for this leak and do they really think they can get away by suing a security researcher?
In the mean time the minister of Internal Affairs published his guidelines for ethical hacking. And in those guidelines a hacker might be exempt from prosecurtion if he acted conform.
So, we, the Dutch security community, were puzzled. Then rumors came in that the hacker had installed malware on the hospital's server. Sentiment changed, but despite the new guidelines, trust of the hacker community in the authorities, like the DA responsible for cyber crime, vanished. Trust was gone and so was the willingness to co-operate. And right after, some critics of the official guidelines raised their voices and it looked like the guidelines were no longer valid for the people that were addressed in the guidelines.
At this moment this is the status:
- The minster of Internal Affairs published ethical hacking guidelines
- a hackers society published their own responsible disclosure service
- Floor Terra, a researcher within the Dutch Twitter security community published a Responsible Disclosure policy site (here's a translation by Google).
Anyway a lot of activity in interesting times. Please have a look at Floor's site and feel free to react!
I will try to publish some more about all activity and invite you to join the discussion.