DIVD-2022-00012 - Global Charity Vulnerabilities
| Our reference | DIVD-2022-00012 |
| Case lead | Tom Wolters |
| Author | Max van der Horst |
| Researcher(s) |
|
| CVE(s) |
|
| Product | n/a |
| Versions | any |
| Recommendation | If you received a notification of a vulnerability, patch your system with the information provided in this notification. |
| Status | Closed |
| Last modified | 12 Jan 2023 09:06 CET |
Summary
Following the data leak of war victims at the Red Cross, DIVD started looking for vulnerabilities in charities worldwide. This effort is aimed at vulnerabilities regarding charities’ assets reachable via the public internet.
What you can do
- If you receive a notification, make sure the vulnerability described in that notification is patched. The notification will be sent along with a location and description of the vulnerability. If you have any questions regarding the mitigation of these vulnerabilities, feel free to reply to the email and we’ll gladly help.
What we did
- DIVD has been searching for charities and scanning these charities for known vulnerabilities. Any charity that was found to be vulnerable received an email with the information. These emails were sent in several waves. The first wave regards general vulnerabilities found through scanning, whereas the second involves notifications of issues that were found upon manual, deeper inspection. In april of 2022, more notifications were sent.
Timeline
| Date | Description |
|---|---|
| 22 Feb 2022 | DIVD started scraping for charities globally. |
| 23 Feb 2022 | DIVD starts scanning for vulnerabilities. |
| 25 Feb 2022 | DIVD sends first notifications of vulnerabilities. |
| 27 Feb 2022 | First version of this case file. |
| 21 Mar 2022 | Second batch of notifications sent |
| 07 Apr 2022 | Third batch of notifications sent |
| 12 Jan 2023 | Closed case |
gantt
title DIVD-2022-00012 - Global Charity Vulnerabilities
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2022-00012 - Global Charity Vulnerabilities (324 days) :2022-02-22, 2023-01-12
section Events
DIVD started scraping for charities globally. : milestone, 2022-02-22, 0d
DIVD starts scanning for vulnerabilities. : milestone, 2022-02-23, 0d
DIVD sends first notifications of vulnerabilities. : milestone, 2022-02-25, 0d
First version of this case file. : milestone, 2022-02-27, 0d
Second batch of notifications sent : milestone, 2022-03-21, 0d
Third batch of notifications sent : milestone, 2022-04-07, 0d
Closed case : milestone, 2023-01-12, 0d