The related "Belgium is unsafe for CVD" post explains that if you discover any vulnerability in anything in Belgium, it automatically creates a legal obligation on you, with a 24h deadline, to report this secretly and exclusively to Belgian authorities, with logs of everything you've done, even if you're not a Belgian citizen and don't reside in Belgium.

This is a very short deadline, with onerous requirements. They most likely won't give you permission to share any information about this vulnerability with anyone else. If it's a common vulnerability affecting non-Belgian entities, you'll be required to leave them uninformed and vulnerable.

The most rational response for law-abiding vulnerability researches is to stay away from everything Belgian and never report anything to them.

Unfortunately this sounds like a very wise advice.

You'd think that you rather encourage and reward researchers to ethically hack your systems rather than having the MI5 do it, as it happened recently.

(https://www.infosecurity-magazine.com/news/how-gchq-hacked-b...)