On 10 June 2025 the Belgian GDPR supervisory authority (GBA) launched its new application where DPOs can be registered and where data breaches can be reported. Because I’m interested in GDPR breach notification requirements, I decided to take a look at the application on 12 June. Within …

This post is about the reason I will probably never try to warn any organisation in Belgium about any vulnerability again. Recently I have been dealing with an attempt at coordinated vulnerability disclosure (CVD) with an organisation in Belgium. This post is not about that, because I’m not …

Supervisory authorities should view supply chains as an asset to use in their enforcement activities instead of an obstacle in their investigations. Let’s use two examples by the Dutch data protection authority (AP) as an example: Locatefamily.com and Clearview AI.

Locatefamily.com

On December 10 …

What happened?

Stripchat is a website owned by Technius Ltd. in Cyprus that hosts a large amount of adult webcam operators. The owner has been reprimanded by the Cyprus data protection authority for a breach of over 64 million user accounts and not informing them properly about the breach. I …

TLDR: It depends.

People who discover bugs and security vulnerabilities and want to improve security by publishing about their findings generally have a substantial task managing competing interests in the process. Publishing your findings can help others learn from that single mistake by installing …

A common theme when trying to report unlawful tracking on websites and apps is that it can be ambiguous whether CVD is meant for these kinds of issues. Is it really a security vulnerability or even a breach of security? My assumption is that generally security policies dictate that security measures …

While discussing Coordinated Vulnerability Disclosure I often experience that people strongly focus on coordinating the vulnerability information with organizations, while the disclosure part is often ignored or even actively discouraged. The last blog I wrote here was actually about a company that …

Recently I have investigated online tracking on the websites of Dutch Political Parties. Read more about that investigation here: Dutch English

Included in that investigation is my request to remove the unlawfully collected personal data. Today I received a response stating that the platform is …

Vincent Manancourt of Politico has published an article including my research into unlawful online tracking on the websites of Dutch political parties.

Here is another blog about Plimus. It seems like they don’t want to communicate or fix security issues instead they continue building new features. It’s a shame that a company that handles money as a primary business doesn’t have security as a top priority. This blogpost is about a …

It’s been a while since I have reported a few security bugs to Plimus. It took a few blogposts explaining the issues publicly before I got in contact with an engineer. I understand that making backwards incompatible changes to your customer facing API’s is not a trivial task, however the …

Laptops are easy to lose or steal and you don’t want any potentially sensitive data to be stolen too. For that purpose many companies now require disk encryption. The OpenBSD softraid CRYPTO discipline has grown to be a mature piece of software and since I was long due for a fresh OpenBSD …