Responsible Vulnerability Disclosure
A structured legal and operational pathway for coordinated vulnerability disclosure in the Kenyan cybersecurity context.
CVD OVERVIEW
01
Identify and verify the potential vulnerability using necessary and proportionate actions only.
02
Capture technical evidence, impact context, and reproducibility details without causing service harm.
03
Notify the affected organization and submit a coordinated notification to NC4 through the formal process.
04
Support remediation and validation in good faith while maintaining confidentiality and controlled disclosure.
05
Coordinate publication timelines after mitigation, with due regard to public safety and legal obligations.
Coordinated Vulnerability Disclosure (CVD)
Under Kenya’s cybercrime and digital protection framework, NC4 can receive vulnerability reports concerning ICT products and ICT services under Kenyan jurisdiction, including where the organization has no formal CVD policy or bug bounty program.
Existing private CVD or reward programs can still run, but legal protection for a researcher depends on strict compliance with good-faith and proportionality conditions.
Definitions and policy context
01. A Coordinated Vulnerability Disclosure Policy is a predefined set of rules enabling ethical researchers to identify and report vulnerabilities responsibly.
02. A bug bounty program is a specific CVD model that includes reward mechanisms based on severity and report quality.
03. Even where no CVD policy exists, reporting may proceed through the legal procedure if all required conditions are met.
Conditions for legal protection in good-faith research
01. Act in good faith and without fraudulent intent or malice.
02. Limit all actions strictly to what is necessary and proportionate for verification.
03. Do not exploit vulnerabilities for gain, disruption, or unauthorized access extension.
04. Avoid altering, deleting, or exposing data beyond what is essential for proof.
05. Report promptly to responsible parties and NC4 through coordinated channels.
06. Preserve confidentiality until mitigation and coordinated disclosure steps are agreed.
Frequently asked questions
Is vulnerability discovery and reporting legally protected in Kenya?
Yes. Protection applies when research is performed in good faith, with no fraudulent intent, and through coordinated reporting to responsible parties.
What conditions must be met to qualify for legal protection?
Actions must remain necessary and proportionate, avoid exploitation or service harm, and be reported promptly through NC4-aligned channels.
Can a researcher publish vulnerability details immediately?
No. Disclosure should be coordinated after remediation milestones to avoid exposing users and critical systems to preventable risk.
What if personal data is encountered during testing?
Access should stop immediately, evidence must be minimized, and exposure details should be shared securely without retaining or distributing personal data.
How is a CVD policy different from a bug bounty program?
A CVD policy defines reporting and coordination rules. A bug bounty is a CVD implementation that also provides reward mechanisms for valid findings.
Guidance and reporting resources
01. CVD legal procedure guidance and FAQs (primary reference during legal review updates).
02. Good practice and legal aspect guide for organizational CVD implementation.
03. Example CVD policy templates and adoption frameworks for institutions.