2025-08-09 –, Andromeda
Language: English
How noticing a vulnerability in a website has led to a foreign government threatening to revoke my permission to publicly discuss the existence of an abstract vulnerability class.
Belgium has laws regulating the reporting and public disclosure of vulnerabilities. While the goal is to protect both organisations and reporters of vulnerabilities, the assumptions behind it conflict with the practice of coordinated vulnerability disclosure. I will discuss the parts of my experience I’m allowed to tell.
Data protection consultant and one of the initiators of the Dutch Coordinated Vulnerability Disclosure policy adopted by the national government and many other organisations. I try to create a safe environment for hackers to publicly disclose the vulnerabilities they find.