From Responsible Disclosure Policy (RDP) towards State Regulated Responsible Vulnerability Disclosure Procedure (hereinafter - RVDP): The Latvian approach

Abstract Cybersecurity is an integral part of security. It plays a tremendous role in modern society. It encompasses technical, organizational and legislative measures created for the purpose of protecting and minimizing impacts from cyber incidents. Any software may contain bugs or security holes. Hackers frequently discover such flaws and, without vendor's consent, disclose step-by-step instructions about vulnerability to the public, disregarding the possible IT security risk. Many vendors already have introduced responsible disclosure policies or “bug bounty” programs. In 2013 the Netherlands launched the first state responsible disclosure Guidelines. Guidelines contain principles, definitions and organizational measures, necessary for responsible disclosure policy as a state policy. Latvia decided to draft Regulation on responsible disclosure procedure. In March 2016, the Ministry of Defence created a working group. The goal of the drafters was: 1) to prepare amendment to Law on the Security of Information Systems to create legislative framework for responsible vulnerability disclosure process; 2) to draft an amendment to Section 241 (3) of Criminal Law to create a guaranty against prosecution (waiver) for persons who act in accordance with responsible disclosure process. The paper provides an insight into this process, difficulties faced by drafters and presents provisional results of the legislative draft and lessons to be learnt.