Local authorities often fail to adequately respond to reports about security vulnerabilities. These reports, known as coordinated vulnerability disclosures (CVD reports), are submitted by ethical hackers with the aim of making the internet safer. While there have been improvements in recent years, a study by the University of Twente and the Dutch Institute for Vulnerability Disclosure (DIVD) highlights the need for further enhancement in the response of local authorities.
Out of the 114 Dutch municipalities analyzed in the study, it was discovered that only 89 of them took action to resolve the reported issues. Shockingly, 44 of these municipalities failed to respond within the specified 90-day period outlined by the University of Twente’s Coordinated Vulnerability Disclosure. Furthermore, the research revealed that in 49 municipalities, the security problems remained unresolved even after being acknowledged. In an additional ten municipalities, the vulnerabilities were fixed, but the resolution was not communicated back to the notifier.
While the findings paint a concerning picture, there were some positive outcomes observed in the study. In 19 municipalities, the reports were appropriately handled, and there was a timely response. These proactive responses demonstrate that certain local authorities understand the significance of security vulnerabilities and take prompt action to address them.
The research was conducted by Koen van Hove, a Ph.D. candidate at the University of Twente, as well as a software and research engineer at NLnet Labs. Van Hove’s curiosity about the effectiveness of CVD procedures in Dutch municipalities spurred him to initiate this study. Over a period of six months, from August 2022 to February 2023, he reported a security vulnerability to 114 Dutch municipalities, primarily utilizing the CVD procedures outlined on their official websites.
During the reporting process, Van Hove encountered various challenges that hindered effective communication. Malfunctioning forms and email addresses, as well as confusing reporting methods, were among the obstacles faced. One notable deterrent was the majority of reporting forms requiring login via DigiD, thus preventing anonymous reporting. Another concerning observation was the initiation of an automated process in 11 out of 114 cases, where personal information, such as date of birth, marriage date, financial status, and residence permit details, was requested without informing the relevant parties at the municipalities.
Since January 1, 2019, the Dutch government has mandated the implementation and public disclosure of security issue reporting procedures, known as the Baseline Information Security Government (BIO). However, the research indicates that over half of the contacted municipalities (60 out of 114) have yet to establish and enforce a clear CVD procedure. This lack of adherence to government guidelines highlights the need for improvement and consistency across all local authorities.
The significance of reporting through the CVD system for municipalities was evident in the 2020 ransomware attack on the municipality of Hof van Twente. While volunteers who submit these reports are not legally obligated to do so, they contribute their time and expertise due to the importance they recognize in improving internet security. Therefore, it is crucial to minimize the barriers to reporting by publishing clear and accessible CVD procedures on municipal websites. Anonymity should also be prioritized, and personal data should only be requested when absolutely necessary.
Lastly, the research emphasizes the importance of timely and informative communication with the notifier. Clear and concise communication helps bridge the gap between the ethical hackers and the local authorities, fostering a collaborative approach in addressing security vulnerabilities. Engaging in a continuous feedback loop and providing updates to the notifier can ensure that vulnerabilities are resolved promptly and effectively.
The study conducted by the University of Twente and the Dutch Institute for Vulnerability Disclosure has shed light on the shortcomings in local authorities’ response to security vulnerabilities. While there are municipalities that demonstrate proactive and efficient handling of reports, the overall response rate and resolution remain unsatisfactory. Improving the clarity and accessibility of CVD procedures, as well as prioritizing timely communication, are crucial steps in enhancing the collaboration between ethical hackers and local authorities. Only through these improvements can we hope to achieve a safer digital landscape for all.
Leave a Reply