When Disclosure Fails - Europe's Struggle with Coordinated Vulnerability Disclosure

Explore the critical failures of Europe's Coordinated Vulnerability Disclosure (CVD) framework through a real-world case study in this 46-minute conference talk. Learn how Product Cybersecurity Consultant Piet De Vaere encountered bureaucratic obstacles, legal threats, and technical disengagement when attempting to report a vulnerability in a major Belgian bank through official channels. Discover the technical details of the banking login vulnerability, including the attack scenario involving concurrent login requests and design flaws such as missing binding and weak user signals. Examine how the disclosure process became a prolonged standoff that highlights systemic problems across the EU, where policymakers treat CVD as a means to impose requirements on reporters rather than as organizational commitments to receive and fix vulnerabilities. Understand how current policies confuse disclosure with bug bounties, enforce unnecessary formalities, and discourage security researchers trying to help. Analyze the implications for NIS2 and the Cyber Resilience Act, and explore potential solutions to fix CVD before it collapses under regulatory red tape. Gain insights into Belgium's NIS2 implementation, legal safe harbor provisions, and the broader EU perspective on flawed CVD policy models, while considering the role of open source communities in rethinking vulnerability disclosure approaches.