When a vulnerability is found, we open a case and create a fingerprint. A case is a record or file created to document and manage the process of addressing a specific vulnerability. A fingerprint serves as a unique identifier or signature for the vulnerability, aiding in the identification of affected systems. Subsequently, we start scanning to identify vulnerable instances and notify the owners of these systems. This structured approach ensures that vulnerabilities are systematically tracked, managed, and resolved.
Learn moreCSIRT: Computer Security Incident Response Team
The CSIRT is responsible for scanning and disclosing vulnerabilities identified by either DIVD researchers or third parties. Additionally, it alerts individuals about leaked credentials and manages our CVE Numbering Authority (CNA) functions.
Only owners of vulnerable instances receive a notification with the host information and mitigation steps.
The email contains all the information you'll need to take actions on this vulnerability. We always share the possible consequences when the vulnerability is exploited by a threat actor.
Some organisations employ a CISO, developer or other IT-team member, please inform the right person in your organisation about the vulnerability. If you don't have a contact who could help you out, please reply on our email and we'll do our best to help you out.
We update the casefile whenever there's any news on the vulnerability. This might be when a patch is available or, unfortunately, in some cases when there's no patch available yet we keep you updated on what type of mitigations you can take.
Please add 'security.txt' to your responsible disclosure policy. You could use securitytxt.org to easily create a security.txt file and ask your administrator to add it in the source of the website.
Since we handle sensitive data collected without informed consent, we've created this Code of Conduct to establish an ethical foundation for our work. This code can also be utilized by other researchers involved in what is currently known as responsible disclosure or coordinated vulnerability disclosure.
Code of conductIf this F.A.Q. doesn’t provide the answer you’re looking for, feel free to reach out to us. We strive to respond to your queries to the best of our ability.
Contact All FAQIf we find a vulnerability, we’ll set up a case with all the details we know and how to patch this vulnerability. Then we scan known IP adresses to see if they’re vulnerable and if that’s the case we’ll send out an email to every vulnerable IP adress.
Our emails are personally written by one of our researchers and contain a link to the casefile on the csirt.divd.nl site.
Most of our volunteers work in cybersecurity as their daily job, this could be at a commercial security company, government, or as a freelancer. Some of our volunteers don’t work in security at all but have great interest in making the digital world safer.
All our volunteers are screened, and have provided a certificate of conduct. Our code of conduct is sacred, we do not deviate from it.
We are a network of security researchers who mainly work online. If you want to contact us, you can send us an e mail to question@divd.nl or use our contact form. You can also meet us at cyber security conferences and hacker events or just follow us on X (formerly known as Twitter).
For questions related to our CSIRT you can email csirt@divd.nl .