case
Mendix applications: unintended data exposure due to authorization misconfiguration
We have identified a recurring security issue across multiple Mendix applications where data sources (entities/tables) are accessible to anonymous users or to newly registered users with overly broad permissions. This can lead to unauthorized access to sensitive information without exploiting a software vulnerability in the Mendix platform itself.
case
OPERATION ENDGAME PART 3
We are notifying victims of the Rhadamanthys infostealer. Since the datasets contain information on a very large number of individuals, we will not be sending individual notifications. Instead, we enable CERTs, CSIRTs and security teams.
case
OPERATION ENDGAME 2.0
DIVD is notifying victims of the Latrodectus infostealer, the evolution of IcedID. We are notifying victims that were identified as a part of Operation Endgame 2.0. If you receive a notification, please read the instructions carefully.
news
Critical vulnerabilities found in procurement platform used by U.S. public sector
One of our researchers has identified three critical vulnerabilities in the SicommNet BASEC e-procurement system, primarily used by U.S. public sector agencies. These vulnerabilities allow malicious actors to bypass all security measures in the system, granting them acces to and control over the entire platform — including all customer data stored in its database.
news
DIVD speelt belangrijke rol in digitale veiligheid energiesector door unieke positie
Het Dutch Institute for Vulnerability Disclosure (DIVD) start met trots het project ‘Coordinated Vulnerability Disclosure (CVD) in de energiesector’. Met dit initiatief zet DIVD een nieuwe onderzoekslijn op om de digitale weerbaarheid van het steeds kwetsbaarder wordende energiesysteem te versterken. Dit doen we samen met diverse partners.
news
Press release: Research unveils 17 new zero-days in EV Chargers
Jan 09, 2025 - In our most recent research into the security of EV chargers, 17 new vulnerabilities (zero days) were discovered in chargers manufactured by iocharger. These vulnerabilities were present in all AC-models of iocharger. The research was conducted by external researcher Wilco van Beijnum and DIVD researcher Harm van den Brink.
news
Exploring Collaboration on Coordinated Vulnerability Disclosure in Japan
Dec 18, 2024 - With the support of the Dutch embassy in Tokyo, I (Chris van 't Hof) have researched Coordinated Vulnerability Disclosure (CVD) in Japan. I had the opportunity to travel to Japan from October 22 to November 22. During my stay, I interviewed security researchers from various governmental institutes, companies, and universities and spoke with hackers, most of whom were foreign nationals residing in Japan. I also participated in conferences and meetings: KEIO Cybersecurity Conference (30-10/1-11), Cyber Risk Meetup (1-11), TengueSec meetup (13-11), CodeBlue (14-11/15-11), and AVTokyo (16-11). One of the highlights of my trip was organizing a CVD expert meeting with the Dutch embassy on the 13th of November. The last days I spent in the beautiful coastal village of Kamakura to start writing this report.
news
How to secure your Blob Storage container
Services such as Amazon S3 Buckets and Azure Blob Storage offer the convenience of storing data which is accessible by various users and services simultaneously. However, misconfiguration of any of these storage services can expose your organization to several risks and consequences.
news
Leaked credentials: What we do to keep you safe
On our website, you might have found a page called ‘how we deal with leaked credentials’ or spotted the case ‘DIVD-2020-00013 Leaked phishing credentials’. Does this mean that our volunteers send out phishing emails and leak the obtained credentials of innocent victims? Of course not!
news
Save the Date: Exclusive Event for Partners
Sep 1, 2024 - We’re excited to welcome our partners to a special evening marking our 5th anniversary.
case
DIVD responsibly discloses six new zero-day vulnerabilities to vendor
Aug 12, 2024 - DIVD researchers have discovered and, in collaboration with the vendor, disclosed six new zero-day vulnerabilities in Enphase IQ Gateway devices.
news
Over 1 Million Notifications
Aug 1, 2024 - While the existence of a vulnerability is not something to celebrate, thanks to the hard work of skilled volunteers working for DIVD, we have been able to notify vulnerable organizations of at least 1 million compromised IP addresses.