We report vulnerabilities to prevent issues

Whenever a vulnerability is found, we open a case and create a fingerprint. After that we'll start scanning to identify vulnerable instances and notify the owners of these systems.

Learn more

Our researchers looking for vulnerabilities

CSIRT: Computer Security Incident Response Team

The CSIRT handles the scanning for and disclosing of vulnerabilities, either discovered by DIVD researchers or third parties and warning people for leaked credentials and operates our CVE Numbering Authority (CNA) capability

Only owners of vulnerable instances receive a notification with the host information and mitigation steps.

CSIRT SITE
notification email

Step by step of what you should do

If you’ve received an notification (email) from our CSIRT, check whether the email address contains @divd.nl. This could be csirt@divd.nl, divd-case-number@csirt.divd.nl or a name-of-researcher@divd.nl (as some of our researchers prefer to send notifications from their personal divd account).
1

Read the e-mail thoroughly

The email contains all the information you'll need to take actions on this vulnerability. We always share the possible consequences when the vulnerability is exploited by a threat actor.

2

Check your security policy and forward this email to the right person

Some organisations employ a CISO, developer or other IT-team member, please inform the right person in your organisation about the vulnerability. If you don't have a contact who could help you out, please reply on our email and we'll do our best to help you out.

3

Check the status of the case on the CSIRT website

We update the casefile whenever there's any news on the vulnerability. This might be when a patch is available or, unfortunately, in some cases when there's no patch available yet we keep you updated on what type of mitigations you can take.

4

Make sure you're responsible disclosure policy is accurate

Please add 'security.txt' to your responsible disclosure policy. You could use securitytxt.org to easily create a security.txt file and ask your administrator to add it in the source of the website.

Ethics

Ethics at the base of everything we do

As we work on sensitive data, gathered without informed consent, we established this Code of Conduct to provide an ethical base for the work we do. This code can also be used by other researchers working on what is currently referred to as responsible disclosure, or coordinated vulnerability disclosure.

Code of conduct

Dynamic FAQ section, an extra FAQ

If this F.A.Q. doesn't answer your question, please do not hesitate to contact us. We'll do our best to answer your question to the best of our knowledge.

Contact All FAQ

Is it legal what DIVD is doing?

The Dutch jurisprudence is clear: if you serve a societal need with appropriate means, you are allowed to perform these small hacks in order to prevent the real damaging hacks. Our way of working is approved by the Dutch Public Prosecution Office the National Cyber Security Center.

Why did I receive an email from DIVD / CSIRT?

If we find a vulnerability, we’ll set up a case with all the details we know and how to patch this vulnerability. Then we scan known IP adresses to see if they’re vulnerable and if that’s the case we’ll send out an email to every vulnerable IP adress.

Our emails are personally written by one of our researchers and contain a link to the casefile on the csirt.divd.nl site.

Who works for DIVD?

Most of our volunteers work in cybersecurity as their daily job, this could be at a comercial security company, government or as a freelancer. Some of our volunteers don’t work in security at all but have great interest in making the digital world safer.

All of our volunteers are screened and provided an certificate of conduct. Our code of conduct is sacred, we do not deviate from it.

What type of vulnerabilities do you notify?

Anything that is classified as high risk / high impact. We prioritize the vulnerabilities we work on by various metrics, for instance how big the exposure on the internet is and if it is being actively abused or not.

How can we contribute this initiative?

Join DIVD as a volunteer or as a partner, put security.txt on your website, take action after you’ve received a notification email or make a donation.

Not a regular office

We are a network of security researchers who mainly work online. If you want to contact us, you can send us an e mail to question@divd.nl or use our contact form.

You can also meet us at cyber security conferences and hacker events or just follow us on Twitter.

For questions related to our CSIRT you can email csirt@divd.nl