We report vulnerabilities to prevent issues

When a vulnerability is found, we open a case and create a fingerprint. A case is a record or file created to document and manage the process of addressing a specific vulnerability. A fingerprint serves as a unique identifier or signature for the vulnerability, aiding in the identification of affected systems. Subsequently, we start scanning to identify vulnerable instances and notify the owners of these systems. This structured approach ensures that vulnerabilities are systematically tracked, managed, and resolved.

Learn more

Our researchers search for vulnerabilities

CSIRT: Computer Security Incident Response Team

The CSIRT is responsible for scanning and disclosing vulnerabilities identified by either DIVD researchers or third parties. Additionally, it alerts individuals about leaked credentials and manages our CVE Numbering Authority (CNA) functions.

Only owners of vulnerable instances receive a notification with the host information and mitigation steps.

CSIRT SITE
notification email

A step-by-step guide on what you should do

If you’ve received an notification (email) from our CSIRT, check whether the email address contains @divd.nl. This could be csirt@divd.nl, divd-case-number@csirt.divd.nl or a name-of-researcher@divd.nl (as some of our researchers prefer to send notifications from their personal DIVD account).
1

Read the e-mail thoroughly

The email contains all the information you'll need to take actions on this vulnerability. We always share the possible consequences when the vulnerability is exploited by a threat actor.

2

Check your security policy and forward this email to the right person

Some organisations employ a CISO, developer or other IT-team member, please inform the right person in your organisation about the vulnerability. If you don't have a contact who could help you out, please reply on our email and we'll do our best to help you out.

3

Check the status of the case on the CSIRT website

We update the casefile whenever there's any news on the vulnerability. This might be when a patch is available or, unfortunately, in some cases when there's no patch available yet we keep you updated on what type of mitigations you can take.

4

Make sure you're responsible disclosure policy is accurate.

Please add 'security.txt' to your responsible disclosure policy. You could use securitytxt.org to easily create a security.txt file and ask your administrator to add it in the source of the website.

Ethics

Ethics at the base of everything we do

Since we handle sensitive data collected without informed consent, we've created this Code of Conduct to establish an ethical foundation for our work. This code can also be utilized by other researchers involved in what is currently known as responsible disclosure or coordinated vulnerability disclosure.

Code of conduct

Frequently asked questions

If this F.A.Q. doesn’t provide the answer you’re looking for, feel free to reach out to us. We strive to respond to your queries to the best of our ability.

Contact All FAQ

Is it legal what DIVD is doing?

Dutch jurisprudence is clear: if you address a societal need using appropriate methods, you are permitted to execute minor hacks to prevent more damaging ones. The Dutch Public Prosecution Office and the National Cyber Security Center endorse our approach.

Why did I receive an email from DIVD / CSIRT?

If we find a vulnerability, we’ll set up a case with all the details we know and how to patch this vulnerability. Then we scan known IP adresses to see if they’re vulnerable and if that’s the case we’ll send out an email to every vulnerable IP adress.

Our emails are personally written by one of our researchers and contain a link to the casefile on the csirt.divd.nl site.

Who works for DIVD?

Most of our volunteers work in cybersecurity as their daily job, this could be at a commercial security company, government, or as a freelancer. Some of our volunteers don’t work in security at all but have great interest in making the digital world safer.

All our volunteers are screened, and have provided a certificate of conduct. Our code of conduct is sacred, we do not deviate from it.

What kinds of vulnerabilities do you report?

Any security vulnerability that falls under the category of high risk or high impact. The sequence in which we handle vulnerabilities is influenced by multiple metrics, including the level of exposure online and if the vulnerability is under active exploitation.

How can I contribute to this initiative?

You can join DIVD as a volunteer or as a partner, put security.txt on your website, take action after you’ve received a notification email, and/or make a donation.

Not a regular office

We are a network of security researchers who mainly work online. If you want to contact us, you can send us an e mail to question@divd.nl or use our contact form. You can also meet us at cyber security conferences and hacker events or just follow us on X (formerly known as Twitter).

For questions related to our CSIRT you can email csirt@divd.nl .