Hoping to get it fixed, I reported the issue to both the bank itself and the Centre for Cybersecurity Belgium (CCB), following the principles of Coordinated Vulnerability Disclosure (CVD). In this post, I’m going a step further: I believe the Belgian system for CVD is fundamentally broken on every level: the law, the CCB, and the affected companies (or at least the ones I dealt with). Later that evening, I decided to take a closer look at the Belgian legislation on Coordinated Vulnerability Disclosure (CVD). Suddenly, I remembered that the head of CERT.be (the part of CCB responsible for CVD) was one of my LinkedIn contacts. Unfortunately, it seems like Belgium’s current ecosystem for Coordinated Vulnerability Disclosure (CVD) is deeply broken.