In January 2013 the NCSC published a guideline for responsible disclosure. Around that time, Dutch companies started publishing responsible disclosure policies on their websites. Many people have disclosed vulnerabilities through responsible disclosure procedures, either directly or with help from the NCSC.
There have been several cases in which a disclosure received larger media attention, or were even the subject of a court case. The policy as defined by the Public Prosecution Service (OM) is an important guideline for these cases.
In this talk we will look back on the past 2,5 years of responsible disclosure in the Netherlands. We will discuss the good developments, but also look at some cases where RD did not work out as planned. Finally, we will look at international developments in vulnerability disclosure.