Code of Conduct

We aim to make the digital world safer by scanning the internet for vulnerabilities
These vulnerabilities are most likely CVE (Commons vulnerabilities and Exposures) or CWE (Common Weakness Enumeration), which should already be known by the people responsible for the vulnerable systems and might be actively exploited. We do not hack websites, we only scan IP ranges, using, for example, Masscan, Zmap or Nmap to identify hosts with the aim to notify the owners.

We validate our findings
For further investigation and to prevent reporting false-positives, we sometimes need to verify if a vulnerability is actually present. We use custom-made scripts, based on publicly available proof of concepts or non-weaponized exploit code. So we take care we don't damage systems, download personal data or create backdoors. Similarly, we don’t patch vulnerable systems. That remains the responsibility of the owner.

We report these vulnerabilities to the ones who are responsible for fixing them
Our researchers will send their report to your info@ and abuse@ mail address and hope your IT department catches up. You may also receive our report through your CERT (Computer Emergency Response Team), PSIRT (Product Security Incident Response Team) or ISP (Internet Service Provider). Reports are accompanied by advice on how to mitigate or fix vulnerabilities. In the Netherland reports are send out by our Security Meldpunt.

We expect a response
If you are responsible for a digital system, we expect you to: have a point of contact where researchers can file their report, promise to respond, provide updates on the progress and warn others who might be affected. It is highly valued if you credit our researchers for helping you out.

We log our research as long as a case is active
After reporting our findings, we repeat our scans in order to track progress. We, therefore, need to store data and log our activities. We may also need this data in case of a dispute. We minimize the amount of personal data we gather and store and are aware of the fact that an IP address can also be perceived as personal data. We believe that our processing of personal information is proportional to our aim to protect much more sensitive personal data in the systems at stake.

We share our findings
During our research we inform the broader security community and the media on our findings on a statistical basis. We only provide the total numbers, no names, or other identifiable information.

And we stick to these rules
DIVD is responsible for reminding researchers of these rules, while it’s the responsibility of each individual researcher to stick to them. If they don’t, their DIVD account will be revoked.

So, in short
We perceive vulnerability disclosure as a societal need. To prove you are vulnerable we use minimal invasive tools (subsidiarity principle) and collect the minimal amount of data (proportionality principle). We don’t go naming and shaming, don’t report you to Data Protection Authorities or law enforcement, don’t serve any company's interests and don’t make any money from this. We are just a group of volunteers who help out victims of online vulnerabilities.