Minister Opstelten of Security and Justice do not want companies and organisations to make a report against hackers with good intentions, which security issues to address. However, this must be the hacker then does not go any further than is necessary to the vulnerability to show.
This is what Opstelten is important that hackers does not go any further than necessary. Making changes in a system, data copy, different times to access a system or access sharing with others are out of the question, as well as social engineering and the installation of backdoors. Of companies expect Opstelten that they have adequate notification to respond, as quickly as possible to the correct department filing and complainants informed of the progress. The directive suggests, furthermore, that companies are ethical hackers a reward for reporting a problem. In the first place, it is intended to be a security issue to log in to a company, but if not, then the Cyber Security Centre in The Hague to help.
In his letter to parliament speaks Opstelten for responsible disclosure: the public disclosure of certain details of a security vulnerability, but only after a security issue is resolved, and without that personal information be made public. What the minister relates to a detector of a datalek and an organization come to an agreement, whereby the complainant the organization enough time to give to a security vulnerability. For a leak in software, he suggests a standard deadline of 60 days for hardware problems, a half-year. If a leak is not or hardly to solve, it may be necessary to do not in the publicity is the minister.
As a guide, the government can not enforce that organisations do not report against ethical hackers. “But this must be hackers to provide more detailed guidance”, says spokesman Edmond Messchaert of the Dutch Ministry of Security and Justice. “Until now there was at incidents is often unclear whether or not declaration would be done. That we try this take away. This is not an invitation to anyone to come snooping around.”
Messchaert think that companies the guide will follow. “It is in the own interest of companies that they are on a good way to deal with security issues. That is purely economic corporate interests.” In certain sectors, such as in the financial world and in the telecom, it, according to him, al. According to the spokesman, minister Opstelten, the policy of ‘promote’ with his fellow-ministers, to the government to get the policy internally.
In addition, Opstelten, with the Public Prosecutor’s office to the table the question of if hackers will and will not be prosecuted. But, says Messchaert, “In our rule of law, the Public prosecution service has the authority to make the decision whether criminal proceedings are instituted. There is no being.”