- DIVD is a Dutch research institute that works with volunteers who aim to make the digital world safer by searching the internet for vulnerabilities and reporting the findings to those who can fix these vulnerabilities.
- As we work on sensitive data, gathered without informed consent, we established this Code of Conduct to provide an ethical base for the work we do. This code can also be used by other researchers working on what is currently referred to as responsible disclosure, or coordinated vulnerability disclosure.
- In our research projects we, for example:
- Scan the internet for vulnerabilities, mostly Common Vulnerabilities and Exposures (CVEs), and report our findings and possible solutions to the owners of these systems.
- Analyse online systems for new vulnerabilities (zero-days), report our findings to the makers and try to help them out in fixing the vulnerabilities.
- Analyse databases with leaked credentials and report to the organisations or people who are compromised to take appropriate measures.
- Work with trusted partners to extend our reach and notify as many organisations and people as possible
- We are aware that we operate at the edges of what is legally allowed, so we proceed by these three criteria commonly used in court cases on vulnerability disclosures:
- Societal need: we do vulnerability disclosure to prevent online damage to as many internet users as possible and don’t serve any particular financial, political or individual interests.
- Principle of Proportionality: we serve this need with appropriate means. Our research should increase and not decrease the integrity and availability of online systems.
- Principle of Subsidiarity: if several means are available to meet the need, we opt for the one which has the least impact.
- We validate our findings to prevent reporting false positives or miss false negatives and sometimes need to verify if a vulnerability is actually present. We use custom-made scripts based on publicly available proof of concepts or non-weaponized exploit code and take good care that we don’t damage systems, download too much personal data, or create backdoors.
- Our findings typically consist of lists with several to millions of IP addresses, the type of vulnerability found, contact information, and metadata (e.g. timestamps, scripts, researchers working on the data). This is sensitive data, so we take all precautions necessary to protect the confidentiality of this data.
- We disclose zero-day vulnerabilities to the vendor first, then request CVE numbers and negotiate a reasonable time span for disclosing it to our Trusted Information Sharing Partners and the broader public. Ideally, the disclosure is preceded by a patch. If a vendor is obviously slow in providing the patch and it is likely others may discover and abuse the vulnerability, we may consider disclosure to warn potential victims and advise them on mitigation measures.
- We report the CVEs we find to the owners of the systems, mostly by generating email addresses based on their domain name, such as info@, security@ or abuse@ and to the listed abuse addresses of IP owners. We may also send them our findings through our Trusted Information Sharing Partners, who are, for example, Computer Emergency Response Teams, Computer Security Incident Response Teams, Internet Service Providers, governmental organisations or other research institutes.
- We analyse online threats, not threat actors. We are researchers and don’t serve the needs of governments or law enforcement.
- After reporting our findings, we repeat our scans to track progress. We, therefore, need to store data and log our activities. We may also need this data in case of a dispute. We minimize the amount of personal information we gather and store and are aware that an IP address can also be perceived as personally identifiable information. We believe that our processing of personally identifiable information is proportional to our aim to protect much more sensitive personal data in the systems at stake.
- During our research, we inform the broader security community and the media about our findings only on a statistical basis: just numbers, no names, or other identifiable information. We close all research projects with a report, which can be downloaded from divd.nl and is under Creative Commons Licence.
- We only report vulnerable systems. Patching or other mitigation is solely the responsibility of the owner.
- DIVD is responsible for making researchers aware of these rules, while it is the responsibility of each researcher to stick to them. If they don’t, the board will take appropriate measures, for instance by revoking their DIVD account.
- This Code of Conduct will also be used as an ethical guidance for our DIVD Academy, shared with the broader security community and updated regularly. Suggestions and feedback are welcome. Contact our Secretary Chris van ‘t Hof.
Is it legit to exchange lists of IP addresses together with vulnerabilities? The short answer is: Yes, according to Dutch law we can. The more elaborate answer you will find in this Liability Impact Assessment, prepared by Privacy Management Partners (in Dutch).
Click here to download (Dutch) (Dutch)