Provides a definition for what constitutes the legitimate disclosure of a vulnerability by a private person; it also determines the following restrictions: 1. The operation, functionality, services and data availability or integrity of the communication and information system may not be disrupted or altered. 2. When a vulnerability is identified, the search activity is terminated. 3. Within 24 hours of the start of the search activity, information on search results must be submitted to the NCSC under the Ministry of National Defence or CSE. 4. It is not unnecessarily sought to validate, monitor, record, intercept, acquire, store, disclose, copy, modify, corrupt, delete, destroy data managed by a cybersecurity entity. 5. No attempts are made to guess passwords. Passwords obtained illegally are not used and employees of the CSE or other persons who have the right to use non-public information relevant to the search for loopholes are not exploited or manipulated in order to obtain the information. 6. Information about the detected vulnerability is shared only with the NCSC under the Ministry of National Defence or CSE and made public according to the amendment.