The related "Belgium is unsafe for CVD" post explains that if you discover any vulnerability in anything in Belgium, it automatically creates a legal obligation on you, with a 24h deadline, to report this secretly and exclusively to Belgian authorities, with logs of everything you've done, even if you're not a Belgian citizen and don't reside in Belgium.

This is a very short deadline, with onerous requirements. They most likely won't give you permission to share any information about this vulnerability with anyone else. If it's a common vulnerability affecting non-Belgian entities, you'll be required to leave them uninformed and vulnerable.

The most rational response for law-abiding vulnerability researches is to stay away from everything Belgian and never report anything to them.

Had many a friend in the Belgian hacker scene who were threatened with legal action after responsible disclosure. To my knowledge, these threats always remained empty: if there is one thing more expensive than engineering a fix, it is starting a lawsuit in Belgium.

It is a sad state-of-affairs that the culture is like this. Ultimately it results in a less secure society, where vulns are anonymously disclosed and shared.

For non Belgians, ItsMe is an identity/digital signature/2FA app used almost universally in banking, ecommerce and gov in Belgium.

The 'attack' is getting the victim to confirm the identity or signature for you through social engineer them to initiate the set up of a parralel session.

This is possible for inplementations of ItsMe that only rely on Phonenumber/Application, and do not validate the actual session, e.g. by having the user scan an in session QR code.

Whoever came with those policies doesn't seem to get that the harder you make responsible disclosure the more attractive irresponsible disclosure is, and easy enough to do anonymously. The policy stems from a deep culture of CYA and will instead find them pants around the ankles soon enough.

Moral of the story: Belgium richly deserves the consequences of actual hacking.

I'm going to say something unpopular, but unfortunately that attitude is far too common in Belgium, everywhere.. In business, with contractors, with lawyers, in restaurants...

They are rude, they will deny everything, if you try to escalate they threaten you (even if you show them evidences and no matter how well you documented things)... but then if you hold your ground they give up.

I'm not sure if they really believe they are right or they are trying to gaslight you hoping that you will give up

Anyway, thanks for pointing the issue out and don't let this cultural issue stop you from doing the right thing. In the end they will chicken out.

I think this part of the Belgian culture is getting on everybody's nerves. I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.

I would definitely would like to see more intellectual honesty and sportsmanship.

Thanks for your hard work and for putting up with this.

Having worked as IA in plenty of banks, I can only say "no good deed goes unpunished". My friendly suggestion is that when you involve cunts in the dialogue (regulators, legal depts, lawyers) you JUST started a fire and those assholes ONLY care to have a fall-guy. And the #1 is (you guessed it) You!!

You cannot expect an honest response from (ffs!) a bank! They are the most dishonest people on planet earth.

If there is a bounty, go through the hoops and do get paid. If not, then feel free to go for a lunch with someone-who-knows/trusts-someone and solve it in the d-l.. with all the plausible deniability you can get "I saw the photo of the guy/gal on LI and wanted to meet him/her for the sex.. I dunno what hacking-vuln you are talking about!"

You may think that the above is risky/dangerous/wrong; good! (https://www.youtube.com/watch?v=d-7o9xYp7eE)