CVDP - Coordinated Vulnerability Disclosure Policy

On the 11th of September, the Ministry For The Economy, Enterprise And Strategic Projectshas initiated a public consultation on the proposed Coordinated Vulnerability Disclosure Policy (“CVDP”), which marks the first time that ethical hacking has attained legal cognisance, and a clear step towards strengthening the nation's cybersecurity infrastructure.

Released on August 27, 2024, this CVPD is one of the vital components of Malta's ongoing efforts to comply with the European Union's NIS2 Directive and the National Cybersecurity Strategy 2023-2026.

Addressing Vulnerabilities

The CVDP seeks to address vulnerabilities inherent in Information and Communication Technology (“ICT”) systems, which are critical to national security and daily operations. These vulnerabilities, often unknown to the system's responsible organisation, might potentially pose significant security risks. The policy outlines a formalised approach to facilitate the reporting and resolution of these weaknesses by involving security researchers and organisations in a secure and with legal certainty.

The policy's main objective is thus to encourage responsible disclosure of vulnerabilities by creating a legal framework for both the organisations managing ICT systems and the security researchers testing them.

Scope and Legal Framework

The scope of the CVDP is broad and ambitious. It aligns with the obligations set out under Article 7 of the NIS2 Directive, which mandates Member States to adopt national cybersecurity strategies that include policies on managing vulnerabilities. Notably, the currently proposed Cyber Resilience Act reinforces the requirement for manufacturers of digital products to implement CVD policies before market placement.

Under the proposed CVPD, the security researchers who test and report on ICT systems will operate under a binding agreement with the responsible organisation.

The CVDP is designed to be technology-neutral and without prejudice with various legal frameworks, including Malta's Criminal Code and the General Data Protection Regulation (“GDPR”).

Key Provisions

One of the primary features of the CVDP is the establishment of clear guidelines on the obligations of the organisations responsible for ICT systems. These include the following:

  • Reporting Procedures: Security researchers are required to report vulnerabilities through a structured process that includes detailed technical documentation and communication with the Computer Security Incident Response Teams.
  • Confidentiality: The policy emphasises the importance of confidentiality. Vulnerabilities are not to be publicly disclosed until the responsible organisation has had an opportunity to address them. To prevent data leaks, the policy encourages secure communication between researchers and organisations to prevent data leaks. Confidentiality in a scenario where the researcher detects a vulnerability that may lead to any sort of processing of personal data, the researcher shall not proceed any further and inform the organisation immediately, in line with the GDPR.
  • Civil Liability: The policy also outlines the legal responsibilities of security researchers. Researchers must act in good faith, and any unethical or illegal activity will result in liability. However, if they adhere to the policy, researchers are protected from legal claims, providing a safe environment for vulnerability testing. It is to be noted however that legal proceedings may still be taken against researchers who breach the CVPD and failed to abide by the CVPD!
  • Vulnerability Remediation Process: The responsible organisations are required to implement a clear remediation process to address reported vulnerabilities. This includes working closely with security researchers to find solutions and ultimately mitigate risks.
  • Rewards System: Responsible organisations may choose to offer rewards, such as financial incentives (in the form of a Bug Bounty) or public recognition, for valid vulnerability reports. This nurtures a symbiotic relationship between researchers by incentivising them to contribute to the security of ICT systems, while organisations benefit from a proactive approach to identifying weaknesses.

As part of the public consultation, stakeholders are invited to provide feedback on the proposed policy by accessing the full document on the public consultation portal.

The Coordinated Vulnerability Disclosure Policy can be accessed here.

--

Do you require assistance in drafting your organisation’s Vulnerability Disclosure Policy? GTG is here to help!

For more information regarding Information Technology Law, do not hesitate to contact Dr Ian Gauci or Dr Terence Cassar.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content