In the digital age, security vulnerabilities pose a significant threat to individuals, organizations, and governments alike. Local authorities play a crucial role in maintaining online security, but a recent study conducted by the University of Twente and the Dutch Institute for Vulnerability Disclosure (DIVD) highlights their slow and inadequate response to reports about security vulnerabilities. This is concerning, considering the fact that these reports are often submitted by ethical hackers who aim to make the internet a safer place.
A concerning Lack of Resolution
Out of the 114 Dutch municipalities tracked in the study, only 89 were responsive to the security notifications. Shockingly, 44 municipalities failed to respond within the specified 90-day period, as outlined by the University of Twente’s Coordinated Vulnerability Disclosure. Even among the municipalities that did respond, 49 of them failed to resolve the reported issues. In 10 municipalities, the security vulnerabilities were fixed, but the notifiers were not informed of the resolution.
Despite these disheartening findings, there are reasons to remain optimistic. The study did identify some municipalities that proactively responded to the notifications. In 19 municipalities, the reports were handled appropriately, and the notifiers received a response. However, it is crucial to acknowledge that improvements are needed to ensure a consistent and effective response across all local authorities.
The research was conducted by Koen van Hove, a Ph.D. candidate at the University of Twente, a software and research engineer at NLnet Labs, and a researcher at the Dutch Institute of Vulnerability Disclosure. Van Hove’s curiosity about the functioning of CVD procedures in Dutch municipalities led him to initiate this study. Between August 2022 and February 2023, he reported a security vulnerability in commonly used software to 114 Dutch municipalities, following the CVD procedure available on their websites.
During the reporting process, Van Hove encountered several challenges. Many municipalities had malfunctioning reporting forms and email addresses, making it difficult to submit reports effectively. Additionally, the reporting methods varied across municipalities, causing confusion and hindering the process. A notable obstacle was the requirement to log in via DigiD to access reporting forms, which made anonymous reporting impossible.
The research findings underscore the urgent need for improvement in the CVD procedures of local authorities. More than half of the contacted municipalities, 60 out of 114, have not yet published or enforced a clear CVD procedure. This lack of clarity and consistency leaves significant room for improvement. Clearly defined and accessible reporting procedures should be available on municipal websites, ideally providing an option for anonymous reporting without unnecessary requests for personal data.
Volunteers who submit these vulnerability reports are not legally obligated to do so. However, their contributions are crucial in safeguarding online security. To encourage more individuals to come forward, the threshold for reporting must be kept as low as possible. This can be achieved by simplifying the reporting process and making it as straightforward as possible for notifiers. Additionally, informative and timely communication between the municipalities and notifiers is vital to foster trust and collaboration.
The importance of coordinated vulnerability disclosures in municipalities cannot be understated. The case of the 2020 ransomware attack on the municipality of Hof van Twente serves as a stark reminder of the potential consequences of overlooking security vulnerabilities. Ethical hackers who submit these reports do so out of their awareness of the significance of online security. It is imperative for local authorities to recognize this and facilitate the reporting process in every possible way.
The study conducted by the University of Twente and the Dutch Institute for Vulnerability Disclosure sheds light on the need for improved coordinated vulnerability disclosures in local authorities. While there are municipalities that respond appropriately, the overall response is inadequate, with delays and unresolved issues. To enhance online security, local authorities must prioritize the development and enforcement of clear and accessible CVD procedures. By doing so, they can foster a collaborative environment with ethical hackers and ensure the effective resolution of security vulnerabilities.
Leave a Reply