The related "Belgium is unsafe for CVD" post explains that if you discover any vulnerability in anything in Belgium, it automatically creates a legal obligation on you, with a 24h deadline, to report this secretly and exclusively to Belgian authorities, with logs of everything you've done, even if you're not a Belgian citizen and don't reside in Belgium.
This is a very short deadline, with onerous requirements. They most likely won't give you permission to share any information about this vulnerability with anyone else. If it's a common vulnerability affecting non-Belgian entities, you'll be required to leave them uninformed and vulnerable.
The most rational response for law-abiding vulnerability researches is to stay away from everything Belgian and never report anything to them.
brohee 21 minutes ago [-]
Whoever came with those policies doesn't seem to get that the harder you make responsible disclosure the more attractive irresponsible disclosure is, and easy enough to do anonymously. The policy stems from a deep culture of CYA and will instead find them pants around the ankles soon enough.
PeterStuer 4 hours ago [-]
For non Belgians, ItsMe is an identity/digital signature/2FA app used almost universally in banking, ecommerce and gov in Belgium.
The 'attack' is getting the victim to confirm the identity or signature for you through social engineer them to initiate the set up of a parralel session.
This is possible for inplementations of ItsMe that only rely on Phonenumber/Application, and do not validate the actual session, e.g. by having the user scan an in session QR code.
RagnarD 3 hours ago [-]
Moral of the story: Belgium richly deserves the consequences of actual hacking.
xchip 3 hours ago [-]
I'm going to say something unpopular, but unfortunately that attitude is far too common in Belgium, everywhere.. In business, with contractors, with lawyers, in restaurants...
They are rude, they will deny everything, if you try to escalate they threaten you (even if you show them evidences and no matter how well you documented things)... but then if you hold your ground they give up.
I'm not sure if they really believe they are right or they are trying to gaslight you hoping that you will give up
Anyway, thanks for pointing the issue out and don't let this cultural issue stop you from doing the right thing. In the end they will chicken out.
I think this part of the Belgian culture is getting on everybody's nerves. I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.
I would definitely would like to see more intellectual honesty and sportsmanship.
Thanks for your hard work and for putting up with this.
sunshine-o 3 hours ago [-]
I am not sure this is specific to Belgium, I have seen this attitude in many countries unfortunately.
The worst is this attitude is also applied internally in those organisations.
Too often, everybody knows about some critical vulnerabilities but talking about them will get you in big troubles. This also apply to security consultants and "auditors".
The saddest part is Belgium was, if I remember correctly, at the forefront of online banking security in the early 2000s with strong auth physical tokens and digital signatures [0]
They seem to have switch to this itsme system to cut costs.
>They are rude, they will deny everything, if you try to escalate they threaten you (even if you show them evidences and no matter how well you documented things)
From my experience as an immigrant, it's exactly the same in Germany and Austria. For the locals who grew up into the system it doesn't feel terrible, but if you grew up in a country with common sense in business, this is infuriating.
>I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.
I think this is an intentional feature, not a bug. It's a hidden form of protectionism against EU's freedom of movement and trade, to discourage foreigners or small businesses from chapter countries with hustle mentality, to come in and displace entrenched local businesses who would like to have their cake and eat it too, since this pattern appears way too often in EUs rich countries to be just a coincidence. They specifically DON'T WANT YOUR business be opened there because then you're a competitor to the business establishment status quo there, but they can't outright say that.
xchip 50 minutes ago [-]
Here is my take (spoiler: I disagree a bit)
I observed is that Belgian people apply the same bad treatment to other Belgian people. So I believe this has nothing to do with racism or protectionism.
The culture is simply like this, and they are both victims and perpetrators of their own behavior.
In a way, that makes me be a bit forgiving, but still, it is sad to see this unconstructive and toxic behavior.
HourOrTwo 25 minutes ago [-]
[dead]
Rendered at 13:30:06 GMT+0000 (Coordinated Universal Time) with Vercel.
This is a very short deadline, with onerous requirements. They most likely won't give you permission to share any information about this vulnerability with anyone else. If it's a common vulnerability affecting non-Belgian entities, you'll be required to leave them uninformed and vulnerable.
The most rational response for law-abiding vulnerability researches is to stay away from everything Belgian and never report anything to them.
The 'attack' is getting the victim to confirm the identity or signature for you through social engineer them to initiate the set up of a parralel session.
This is possible for inplementations of ItsMe that only rely on Phonenumber/Application, and do not validate the actual session, e.g. by having the user scan an in session QR code.
They are rude, they will deny everything, if you try to escalate they threaten you (even if you show them evidences and no matter how well you documented things)... but then if you hold your ground they give up.
I'm not sure if they really believe they are right or they are trying to gaslight you hoping that you will give up
Anyway, thanks for pointing the issue out and don't let this cultural issue stop you from doing the right thing. In the end they will chicken out.
I think this part of the Belgian culture is getting on everybody's nerves. I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.
I would definitely would like to see more intellectual honesty and sportsmanship.
Thanks for your hard work and for putting up with this.
The worst is this attitude is also applied internally in those organisations. Too often, everybody knows about some critical vulnerabilities but talking about them will get you in big troubles. This also apply to security consultants and "auditors".
The saddest part is Belgium was, if I remember correctly, at the forefront of online banking security in the early 2000s with strong auth physical tokens and digital signatures [0]
They seem to have switch to this itsme system to cut costs.
- [0] https://en.wikipedia.org/wiki/OneSpan#History
From my experience as an immigrant, it's exactly the same in Germany and Austria. For the locals who grew up into the system it doesn't feel terrible, but if you grew up in a country with common sense in business, this is infuriating.
>I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.
I think this is an intentional feature, not a bug. It's a hidden form of protectionism against EU's freedom of movement and trade, to discourage foreigners or small businesses from chapter countries with hustle mentality, to come in and displace entrenched local businesses who would like to have their cake and eat it too, since this pattern appears way too often in EUs rich countries to be just a coincidence. They specifically DON'T WANT YOUR business be opened there because then you're a competitor to the business establishment status quo there, but they can't outright say that.
I observed is that Belgian people apply the same bad treatment to other Belgian people. So I believe this has nothing to do with racism or protectionism.
The culture is simply like this, and they are both victims and perpetrators of their own behavior.
In a way, that makes me be a bit forgiving, but still, it is sad to see this unconstructive and toxic behavior.