02-15, 14:30–15:00 (Europe/Amsterdam), Mission Critical Room (Rembrandt)
With the support of the Dutch embassy in Tokyo, I have researched Coordinated Vulnerability Disclosure (CVD) in Japan for DIVD. Japan’s governmental policy on CVD dates back to 2004. Although Japanese criminal law and jurisprudence do not allow for large-scale intrusive vulnerability research and disclosure, Japanese institutes help citizens disclose zero days to vendors and report vulnerabilities to website operators. Also, the Nation Institute for Information Communication Technology scans and notifies vulnerable IoT, and the Japanese government has adjusted laws to allow this.
With the support of the Dutch embassy in Tokyo, I have researched Coordinated Vulnerability Disclosure (CVD) in Japan for the Dutch Institute for Vulnerability Disclosure.
Key findings:
Japan’s governmental policy on CVD dates back to 2004. The Japanese Computer Emergency Response Team Coordination Center (JPCERT/CC) is an independent institute founded in 1996 and currently funded by METI. The center handles incidents, analyses and shares information on online threats, monitors internet traffic, and has published Vulnerability Notes with Advisories since 2004.
Japanese criminal law and jurisprudence do not allow for large-scale intrusive vulnerability research and disclosure as Dutch case law does. In Japan, doing CVD on a broader scope and without informed consent is perceived as very rare. Security researchers generally fear prosecution as they may violate cyber security and privacy laws. A common statement at hacker events was: “I only report if they provide a bug bounty.”
Japanese institutes help citizens disclose zero days to vendors and report vulnerabilities to website operators. Organizations like IPA and JPCERT/CC provide structured processes for reporting vulnerabilities, focusing primarily on zero days affecting software or websites widely used in Japan. These reports are forwarded to vendors and operators, though researchers must navigate strict conditions.
The Nation institute for Information Communition Technology scans and notifies vulnerable IoT, and the Japanese government has adjusted laws to allow this. The NOTICE project aims to prevent cyber-attacks by scanning IoT devices on weak passwords by attempting to log in. These activities run parallel to the Handling Regulations for Information Related to Vulnerabilities in Software Products and clearly violate cyber security laws. In order to proceed on this endeavor, the Cabinet overruled the Act on Prohibition of Unauthorized Computer Access by a special law, which provided NICT the mandate. To my knowledge, this is unique in the world.
English
Chris is one of the co-founder of DIVD and Managing Director since 1 January 2022. He entered cyber security through his experience as researcher and wrote two books on Coordinated Vulnerability Disclosure: “Helpful Hackers” (2016) and “Cyberellende was nog nooit zo leuk” (2021). With his unusual background in electrical engineering and sociology, he analyzes how human and electronic networks interact. As presenter he took the stage over 700 times and organized and hosted many talk shows, such as Hack Talk (2017-2022). Combining these experiences and skills he also provides cyber crisis management training to a broad range of organizations. You may say this is not a typical background for a Managing Director, but it works for DIVD. Chris perceives himself not as the boss, but rather a translator who explains to the outside world how hackers can help and aims to provide nerds a safe space to do their thing.