Comment Re:Sounds fairly reasonable. (Score 4, Interesting) 37
The guidelines (dutch PDF) have a whole chapter outlining the responsibilities of the organization receiving a disclosure. They include guidelines for solving the issues (60 days for software, 6 months for hardware), reporting back progress to the discloser, allowing a discloser to report the vulnerability to a larger audience as part of the NCSC (government). Combined, these guidelines are an effective tool for security researchers to play by the rules and put pressure on companies together with others.
Researchers are encouraged to disclose to the NCSC as well, which means many security experts will be able to put pressure on companies not fixing vulnerabilities according to these rules.