在 Hacker News 上看到的「Belgium legalises ethical hacking (law.kuleuven.be)」,原文在「Belgium legalises ethical hacking: a threat or an opportunity for cybersecurity?」,比利時政府官方的荷蘭語與法語的 PDF 檔案在這邊可以取得,但裡面包括了其他法案的資訊,這邊是讀英文版的文章...
標題提到的 ethical hacking 不確定有沒有比較好的中文詞彙,先暫定用這個。
先講結論,看完以後可以感覺到是個很糟的法案,應該會本來灰色地帶的 ethical hacking 全部打進黑色或直接全部放 0-day?
要符合比利時法律裡面的 ethical hacking 有四個條件:
The first condition set by the law is that ethical hackers cannot have the intent to cause harm or to obtain illegitimate benefits with their activities. The law therefore excludes that ethical hackers request payment in order to reveal any potential vulnerabilities that they discovered, unless this has been agreed upon in advance, for example as part of a bug bounty programme or a CVDP. Extorsion is not an activity endorsed by the law.
第一條的限制包括了不得取得利益,除非單位已經有提供 bug bounty program 之類的獎勵。
The second condition mandates that ethical hackers report any uncovered cybersecurity vulnerability as soon as possible to the Centre for Cyber Security Belgium (CCB), which is the national computer security incident response team of Belgium. Ethical hackers also need to report their findings to the organisation they were investigating, the latest at the time they are notifying the CCB over a vulnerability.
第二條是強制要回報給政府單位 (CCB),加上第一條的限制,所以是要免費提供給政府。
The third condition requires ethical hackers to not go further in their hacking than necessary and proportionate in order to uncover a cybersecurity vulnerability. Ethical hackers have to limit themselves to those activities that are strictly necessary for the objective of notifying a cybersecurity vulnerability. This condition is for example breached if a vulnerability is discoverable with less intrusive means than those chosen by the ethical hacker. Ethical hackers are also required to ensure that their activities do not affect the availability of the services of the organisation under investigation.
第三條限制滲透行為只限於證明弱點或是漏洞。
The final condition is an obligation for ethical hackers to not disclose information about the uncovered vulnerability to a broader public without the consent of the CCB. Ethical hackers can therefore not report on uncovered cybersecurity vulnerabilities in the media, for example by noting it in a blog post, unless they have the authorisation of the CCB.
第四點是政府沒有同意以前不得列漏給其他人。