Finding vulnerabilities in IT systems

Attempting to discover ‘bugs’, data leaks or other types of vulnerabilities in the IT systems of others is not permitted without the owner’s permission. Organisations sometimes hire an ethical hacker on security grounds; for example, to conduct their pen tests. Of course it could happen that someone spontaneously discovers a vulnerability and is eager on reporting it to the organisation.

Reliable report

How does the organisation know that it is a reliable report? It does so by indicating that it is open to receiving reports from unknown parties. This information can be stated in a policy for Coordinated Vulnerability Disclosure (CVD), also known as Responsible Disclosure (RD). The CVD policy contains rules for reporting and receiving vulnerabilities and flaws. This CVD or RD policy is usually published on the organisation’s website.

Consulting the CVD policy

In the CVD or RD policy, the owner of the IT system states for which IT systems reports can be made. The policy also shows which research methods may be used to discover vulnerabilities. In addition, it explains how you should make a report if you have discovered a vulnerability.

The policy contains information about the amount of time within which the organisation should resolve the reported vulnerability. In other words, the organisation uses this time to devise a solution. The discovery must not be made public during this period.

Limits to looking for vulnerabilities

The methods employed when looking for vulnerabilities in IT systems must be in line with the CVD or RD policy of the IT system's owner. If this requirement is satisfied, the organisation has no reason to doubt the intentions of the individual looking for vulnerabilities.

An organisation may still have reason to report the matter or to take other legal action. To avoid a criminal investigation by the police or Public Prosecution Service, we recommend keeping a log of the search.

An investigation may be initiated if someone consciously or unconsciously fails to comply with the CVD or RD policy. Based on this investigation, the Public Prosecution Service decides whether or not to institute criminal prosecution.

Rules for reporting vulnerabilities

Rules apply to reporting a bug, data leak or other vulnerability in an IT system. The first rule is that a vulnerability is always reported to the owner of the system in the first instance. This report must be made confidentially in order to prevent others from gaining access to information about the vulnerability.

Uncovering the vulnerability does not automatically mean that there is a reward for it. The system owner states any reward in the CVD policy. The second rule is that information about vulnerabilities must be dealt with confidentially. The third rule is that making the vulnerability public only occurs in consultation with the organisation itself.

If a vulnerability affects a number of IT systems, or if it concerns a vital system such as a drinking water supply or an electricity network, you must contact the NCSC.