Il Belgio definisce le condizioni secondo le quali un cittadino può compiere attività mirate alla rilevazione non concordata di vulnerabilità senza dover temere conseguenze legali. <https://ccb.belgium.be/en/vulnerability-reporting-ccb> Vulnerability reporting to the CCB Every computer system or network may contain vulnerabilities. These vulnerabilities can be detected by both well-intentioned people and by people with bad intentions. Apart from the existence of a coordinated vulnerability disclosure policy (CVDP) or bug bounty, the fear of being sued often prevents well-intentioned people from looking for and reporting these vulnerabilities. As part of the implementation of the national cybersecurity strategy, a new legal framework has been adopted in Belgium to address this situation. This new framework allows any natural or legal person, acting without fraudulent or malicious intent, to investigate and report existing vulnerabilities in networks and information systems located in Belgium, provided that certain conditions are strictly respected (see detailed explanations). One of these conditions is to report the discovered vulnerabilities to the Center for Cybersecurity Belgium (CCB) as soon as possible and according to the procedure provided for this purpose. [...] B. What are your obligations in the context of the search for and reporting of a vulnerability? 1° You must limit yourself strictly to the facts necessary to report a vulnerability. Thus, you must not act beyond what is necessary and proportionate to verify the existence of a vulnerability (see below point C "proportionality and necessity of actions"). 2° You must act without fraudulent intent or design to harm. You may not use your research for fraudulent purposes or with malicious intent. For example, you may not attempt to monetize the information discovered to the responsible organization or to third parties (unless, of course, a reward or remuneration has been explicitly and previously agreed upon in the context of a pentest, bug bounty, agreement, etc). When possible and to demonstrate your good intentions, make yourself known to the responsible organization beforehand, during your research, for example by using a header or another identifiable parameter. 3° as soon as possible after the discovery of the potential vulnerability (and at the latest at the time of reporting to the national CSIRT), you must inform the organization responsible for the system, process or control of the vulnerability. When more than one person was involved in the research, the report may be made on behalf of several individuals who then assume collective responsibility. For convenience, multiple vulnerabilities involving the same responsible organization can also be reported in a single report. However, it is necessary to make a separate report for each organization concerned. In order to establish the timeliness of your report, it is recommended that you keep evidence of the actions taken (logging) with respect to the network and information system concerned and communicate this information to the CCB at the time of the report. 4° you must as soon as possible report the discovered vulnerability to the CCB (in the absence of a CVDP), in writing and according to the procedures described below (point D). In order to establish the rapidity of your report, it is recommended that you keep evidence of the actions taken (logging) with regard to the system, process or control concerned and that you communicate this information to the CCB at the time of the report. It is also recommended to do the report prior to any active resistance by the responsible organization (e.g., shutting down the ports) and/or any criminal investigation, to emphasize the timeliness of the report. 5° you must not publicly disclose information about the discovered vulnerability without the agreement of the national CSIRT (CCB). C. Proportionality and necessity of actions Your actions must be strictly limited to the facts that are necessary to allow the research and the reporting of a vulnerability of a network and information system. The following may be considered as such facts:     unauthorized access or attempted access to a computer system (art. 550 bis § 1 and 4 of the Criminal Code) ;     exceeding or attempting to exceed an authorization to access a computer system (550 bis § 2 and 4 of the Criminal Code);     taking over or copying computer data (Art. 550 bis, § 3 of the Criminal Code);     the development or possession of hacking tools (Art. 550 bis, § 5 of the Criminal Code)     possession, disclosure, use or disclosure of information obtained through unauthorized access - for example, information available on the Internet (Art. 550 bis § 7 of the Criminal Code);     introduction or modification of data in a computer system (550 ter of the Criminal Code);     interception or attempted interception of communications (Article 314 bis of the of the Criminal Code and/or Article 145 of the Electronic Communications Act of 13 June 2005);     the violation of an obligation of professional secrecy or a contractual obligation of confidentiality; Your actions and research methods must remain necessary and proportionate with regard to the objective of verifying the existence of a vulnerability in order to improve the security of the system, process or control concerned. The techniques used must therefore be strictly necessary and proportionate to the demonstration of a security flaw. If the demonstration is possible on a small scale, you cannot extend your research further. The goal is not to use the vulnerability to examine how far one can penetrate a system, process or control. Similarly, there is no justification for disrupting the availability of services provided by the affected equipment. If not strictly necessary to demonstrate the existence of a vulnerability, the use and retention of data from the system, process or control may not be performed. Similarly, all data collected should be deleted within a reasonable time after the report. If it is necessary to keep this data for a longer period of time or if legal proceedings are in progress, you must ensure that this data is kept secure during this period. The following may be considered as disproportionate and/or unnecessary actions :     the installation of malicious software (malware): viruses, worms, Trojan horses, or other ;     Distributed Denial Of Service (DDOS) attacks;     Social engineering attacks;     Phishing attacks;     Spamming attacks;     Password theft or brute force attacks;     deletion of data from the computer system;     the realization of a foreseeable damage to the visited system or its data;     all other offences than those mentioned under C (e.g. burglary, theft, assault, etc.). Finally, you should also take into account that if your vulnerability research is carried out on networks or information systems located in whole or in part outside the Belgian territory, the present reporting procedure will only protect you in Belgium and not in the other countries concerned. [...]