Exploring Collaboration on Coordinated Vulnerability Disclosure in Japan

Written on December 18, 2024 by Chris van ’t Hof

I went to Japan!

With the support of the Dutch embassy in Tokyo, I have researched Coordinated Vulnerability Disclosure (CVD) in Japan. I had the opportunity to travel to Japan from October 22 to November 22. 

During my stay, I interviewed security researchers from various governmental institutes, companies, and universities and spoke with hackers, most of whom were foreign nationals residing in Japan. I also participated in conferences and meetings: KEIO Cybersecurity Conference (30-10/1-11), Cyber Risk Meetup (1-11), TengueSec meetup (13-11), CodeBlue (14-11/15-11), and AVTokyo (16-11). One of the highlights of my trip was organizing a CVD expert meeting with the Dutch embassy on the 13th of November. The last days I spent in the beautiful coastal village of Kamakura to start writing this report. 

Key findings

To read all my findings in great detail, please read the official report here. Below is a brief summary of the key points:

Japan’s governmental policy on CVD dates back to 2004.

The Japanese Computer Emergency Response Team Coordination Center (JPCERT/CC) is an independent institute founded in 1996 and currently funded by METI. The center handles incidents, analyses and shares information on online threats, monitors internet traffic, and has published Vulnerability Notes with Advisories since 2004.

Japanese criminal law and jurisprudence do not allow for large-scale intrusive vulnerability research and disclosure as Dutch case law does.

In Japan, doing CVD on a broader scope and without informed consent is perceived as very rare. Security researchers generally fear prosecution as they may violate cyber security and privacy laws. A common statement at hacker events was: “I only report if they provide a bug bounty.”

Japanese institutes help citizens disclose zero days to vendors and report vulnerabilities to website operators.

Organizations like IPA and JPCERT/CC provide structured processes for reporting vulnerabilities, focusing primarily on zero days affecting software or websites widely used in Japan. These reports are forwarded to vendors and operators, though researchers must navigate strict conditions.

NICT scans and notifies vulnerable IoT, and the Japanese government has adjusted laws to allow this.

The NOTICE project aims to prevent cyber-attacks by scanning IoT devices on weak passwords by attempting to log in. These activities run parallel to the Handling Regulations for Information Related to Vulnerabilities in Software Products and clearly violate cyber security laws. In order to proceed on this endeavor, the Cabinet overruled the Act on Prohibition of Unauthorized Computer Access by a special law, which provided NICT the mandate. To my knowledge, this is unique in the world.

To read all my findings in great detail, please read the official report here.