English
Vulnerability at GBA …
On 10 June 2025 the Belgian GDPR supervisory authority (GBA) launched its new application where DPOs can be registered and where data breaches can be reported. Because I’m interested in GDPR breach notification requirements, I decided to take a look at the application on 12 June. Within …
Belgium is unsafe for CVD
This post is about the reason I will probably never try to warn any organisation in Belgium about any vulnerability again. Recently I have been dealing with an attempt at coordinated vulnerability disclosure (CVD) with an organisation in Belgium. This post is not about that, because I’m not …
Supply chains in GDPR …
Supervisory authorities should view supply chains as an asset to use in their enforcement activities instead of an obstacle in their investigations. Let’s use two examples by the Dutch data protection authority (AP) as an example: Locatefamily.com and Clearview AI.
Locatefamily.com
On December 10 …
Stripchat reprimanded for …
What happened?
Stripchat is a website owned by Technius Ltd. in Cyprus that hosts a large amount of adult webcam operators. The owner has been reprimanded by the Cyprus data protection authority for a breach of over 64 million user accounts and not informing them properly about the breach. I …
Are bug bounties harmful?
TLDR: It depends.
People who discover bugs and security vulnerabilities and want to improve security by publishing about their findings generally have a substantial task managing competing interests in the process. Publishing your findings can help others learn from that single mistake by installing …
Tracking without consent …
A common theme when trying to report unlawful tracking on websites and apps is that it can be ambiguous whether CVD is meant for these kinds of issues. Is it really a security vulnerability or even a breach of security? My assumption is that generally security policies dictate that security measures …
Coordinated Vulnerability …
While discussing Coordinated Vulnerability Disclosure I often experience that people strongly focus on coordinating the vulnerability information with organizations, while the disclosure part is often ignored or even actively discouraged. The last blog I wrote here was actually about a company that …
Politico: For Dutch …
Vincent Manancourt of Politico has published an article including my research into unlawful online tracking on the websites of Dutch political parties.
Authentication tokens …
Here is another blog about Plimus. It seems like they don’t want to communicate or fix security issues instead they continue building new features. It’s a shame that a company that handles money as a primary business doesn’t have security as a top priority. This blogpost is about a …
Howto crack plimus …
It’s been a while since I have reported a few security bugs to Plimus. It took a few blogposts explaining the issues publicly before I got in contact with an engineer. I understand that making backwards incompatible changes to your customer facing API’s is not a trivial task, however the …
OpenBSD disk encryption
Laptops are easy to lose or steal and you don’t want any potentially sensitive data to be stolen too. For that purpose many companies now require disk encryption. The OpenBSD softraid CRYPTO discipline has grown to be a mature piece of software and since I was long due for a fresh OpenBSD …