Get the latest tech news
Belgium Is Unsafe for CVD
This post is about the reason I will probably never try to warn any organisation in Belgium about any vulnerability again. Recently I have been dealing with an attempt at coordinated vulnerability disclosure (CVD) with an organisation in Belgium. This post is not about that, because I’m not allowed to write about it. This post explains why I believe Belgium is unsafe for people trying to do CVD. I believe it’s important to warn others so that they know what to expect and can decide for themselves.
For example, when the vulnerability is of a new type (it rarely is) it helps other to learn how to find similar issues in other systems, how to design detections or preventative measures to safeguard against exploitation, etc.. It took me a couple of minutes to take a single screenshot that contains all context needed to reproduce the vulnerability and send a private message on X to someone I know that works at the affected organisation. A couple of weeks later I got a response: They give me permission to publicly communicate in the abstract sense that the concept of “Business Logic Errors” as defined by the CWE exists.
Or read this on Hacker News