Responsible Disclosure Guideline
Minister Opstelten (Security and Justice) sent in January a letter to Parliament outlining a guideline for arriving at a practice for responsible disclosure. It also describes building blocks for setting up a responsible disclosure policy. Responsible Disclosure can be an important step towards enhancing the security of information systems, software and other ICT products. In producing the framework, the Ministry of Security & Justice worked in dialogue with incident reporters and public and private organisations.
The guideline is a tool for organisations and incident reporters to facilitate responsible reporting and handling of vulnerabilities in information systems, software and other ICT products. Organisations can use the guideline to help them draft their own responsible disclosure policies. The security of information systems, software and other ICT products is principally the organisation's responsibility. That said, however, incident reporters also have responsibilities, such as holding off on publication until the organisation has been able to remedy the problem.
The National Cyber Security Centre (NCSC) has, where necessary, a role in bringing together parties and sharing information on vulnerabilities with other parties to help them take their own measures and learn from reports. In these efforts, the NCSC places a primary focus on the national government and the vital sectors.