In recent years, there have been increased efforts by ethical hackers to identify and report security vulnerabilities to make the internet a safer place. However, a study conducted by the University of Twente and the Dutch Institute for Vulnerability Disclosure (DIVD) reveals that many local authorities are still slow and inadequate in their response to these coordinated vulnerability disclosures (CVD reports). This article examines the findings of the study and highlights the need for improvement in local authorities’ handling of security vulnerabilities.
The study tracked the responses of 114 Dutch municipalities to CVD reports. Out of these, only 89 municipalities addressed the reported issues. Shockingly, 44 municipalities failed to respond within the specified 90-day period, as recommended by the University of Twente’s Coordinated Vulnerability Disclosure guidelines. On top of this, in 49 municipalities, the vulnerabilities remained unresolved even after being contacted. Additionally, 10 municipalities successfully addressed the vulnerabilities, but failed to communicate the resolution back to the notifier. However, there were some positive cases where 19 municipalities proactively responded to the notifications, demonstrating an understanding of the importance of CVD procedures.
Koen van Hove, a Ph.D. candidate at the University of Twente and a software and research engineer at NLnet Labs, conducted the research out of curiosity about the functioning of CVD procedures in Dutch municipalities. Over a six-month period from August 2022 to February 2023, Van Hove reported a security vulnerability in commonly used software to the municipalities, utilizing their respective CVD procedures where available. The vulnerability involved the ability to send emails indistinguishable from legitimate municipal correspondence. Throughout the reporting process, challenges were encountered, including malfunctioning forms and email addresses, and confusing reporting methods. Anonymous reporting was often impossible due to the requirement of logging in via DigiD. In some cases, personal information was automatically extracted without the knowledge and consent of the notifying party.
The research findings highlight the need for improvement in CVD procedures in Dutch municipalities. It was discovered that more than half of the contacted municipalities (60 out of 114) had not yet published or enforced a clear and accessible CVD procedure. This is a concerning observation, considering the importance of reporting vulnerabilities and the potential risks associated with not addressing them promptly. The 2020 ransomware attack on the municipality of Hof van Twente serves as a reminder of the significance of CVD reports. Although the volunteers making these reports are not legally obligated to do so, their contributions are essential for maintaining a secure digital environment. It is crucial to lower the threshold for reporting by providing clear and anonymous reporting procedures on municipal websites, without unnecessary requests for personal data.
The study conducted by the University of Twente and the Dutch Institute for Vulnerability Disclosure reveals the deficiencies in local authorities’ response to coordinated vulnerability disclosures (CVD reports). Despite some municipalities demonstrating proactive handling of security notifications, there is a clear need for improvement. Implementing clear and accessible CVD procedures, ensuring timely communication with notifiers, and safeguarding anonymity are essential steps towards creating a more secure digital environment. By addressing these shortcomings, local authorities can effectively collaborate with ethical hackers to identify and resolve security vulnerabilities, making the internet a safer place for all users.