DIVD-2024-00004 - 2024-00004 Global NGOs

Our reference	DIVD-2024-00004
Case lead	Tabitha Vogelaar
Author	Victor Gevers
Researcher(s)	Alwin Warringa Amirali Amirkhani Anje Knottnerus Barre Dijkstra Bartlomiej Lizak Emirhan Baser Inanc Yigit Jeroen van der Broek Joost Grunwald Joris Cras Kees van Poeijer Lennaert Oudshoorn Luc Groot Landeweer Martin van der Kroon Max van der Horst Nico-Dirk van Loo Serena de Pater Victor Pasman Winko Erades van den Berg
CVE(s)	n/a
Product	n/a
Versions	any
Recommendation	If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Status	Open
Last modified	07 Apr 2025 10:22 CEST

Summary

This initiative focuses on identifying and addressing vulnerabilities in the publicly accessible assets of NGOs.

Recommendations

After receiving a notification, it is very important that the vulnerability outlined in the correspondence is promptly addressed and remediated. The notification will provide detailed information, including the specific location and a comprehensive description of the identified vulnerability.

Please do not hesitate to reply to this email if you have any questions or need help with the mitigation process. Our team can readily offer support and guidance to ensure the vulnerability is effectively resolved.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) has been proactively identifying and assessing non-governmental organizations (NGOs) for potential security vulnerabilities. Our team conducts thorough scans to detect any known weaknesses within these entities. Upon identifying vulnerabilities, we promptly notify and inform the affected organizations.

These notifications are dispatched in multiple phases. The initial phase is in collaboration with Cyber Peace Institute, The Hague Humanity Hub and the The Hague Municipality and is focused on securing NGOs within The Hague. After this collaboration ends, DIVD will continue to scan the rest of the world for vulnerable assets of NGOs to notify and inform them of any vulnerabilities that are found.

Timeline

Date	Description
04 Oct 2023	Case started
01 Mar 2024	Discovery of NGOs and their domains started.
30 Sep 2024	Roughly 56.000 candidate NGOs found for scanning, continuing discovery.
04 Nov 2024- 20 Nov 2024	Vulnerability scanning a set of 67 NGO’s for the collab project, ending with notifications being send out
06 Jan 2025- 29 Jan 2025	Vulnerability scanning a set of 20 NGO’s for the global project, ending with notifications being send out
02 Feb 2025	Vulnerability scanning a set of ~200 NGO’s for the collab project, ending with notifications being send out
02 Feb 2025	Vulnerability scanning a set of 30 NGO’s for the global project, ending with notifications being send out

gantt title DIVD-2024-00004 - 2024-00004 Global NGOs dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00004 - 2024-00004 Global NGOs (still open) :2023-10-04, 2025-04-21 section Events Case started : milestone, 2023-10-04, 0d Discovery of NGOs and their domains started. : milestone, 2024-03-01, 0d Roughly 56.000 candidate NGOs found for scanning, continuing discovery. : milestone, 2024-09-30, 0d Vulnerability scanning a set of 67 NGO’s for the collab project, ending with notifications being send out (16 days) : 2024-11-04, 2024-11-20 Vulnerability scanning a set of 20 NGO’s for the global project, ending with notifications being send out (23 days) : 2025-01-06, 2025-01-29 Vulnerability scanning a set of ~200 NGO’s for the collab project, ending with notifications being send out : milestone, 2025-02-02, 0d Vulnerability scanning a set of 30 NGO’s for the global project, ending with notifications being send out : milestone, 2025-02-02, 0d

More information

Free cybersecurity support program for 200 humanitarian NGOs in The Hague.