Comment by Permik

1 month ago

If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party. You can do this wholly anonymously, so you don't have to worry about some trigger-happy corpo ruining your life.

Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.

I should have known this exists, yet I didn't. Thanks for pointing it out.

This seems to be a direct link to a web form to report (in English): https://eservices.traficom.fi/ContactForms/form/haavoittuvuu...

In particular, note that all the fields asking for personal information disappear if you select "Yes" in "I am submitting an anonymous tip" field.

> If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party.

The CCC (Chaos Computer Club) in germany will probably do the same.

Were you somehow able to intuit that parent is Finnish?

I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.

  • > the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO

    Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with

    > Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.

    • That now that they've joined NATO, it's safe to share with them.

      A "neutral" country might abuse them.

You now have the worst of both worlds.

You report yourself to the police for trying to hack into a computer-system and you report yourself to the website that can now decide to sue you.

All of that without any benefits.

  • If it's anything like the Dutch or German infosec agencies, "worst of both worlds" is about as far from the truth as you can get. Maybe it works that way in Saudi Arabia but it's not "reporting yourself" here

    • I wouldn't trust anything like that in Germany, where everything is rules-based. Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period. In Germany there's no common sense applied to the rules. Arguing that you hacked and then reported it responsibly won't reduce your criminal penalty for hacking.

      2 replies →

  • Sir, this is not USA, don't assume stuff fucked up there is fucked up everywhere

    • It's starting to be so common on the internet, clueless US residents not really grokking things aren't as bad in other places as in the US, that I'm starting to think that maybe this is some sort of psychological defense mechanism? You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...

      2 replies →

  • Is this purely theoretical? Asking since we don’t wanna encourage making the world worse if there is indeed a clever way to stay safe - has anyone been hassled after reporting to the Finnish Cyber Security Centre?

    • Well I'm a Finn and have reported my findings to the FCSC. Zero hassle. The folks at Traficom are a really nice and smart bunch, I have had chats with them face to face a couple of times. They are very well versed when it comes to potential issues or hassles with disclosing exploits. From what I've seen, everyone at Traficom really just wants to keep internet and information systems safe, and to provide the best support possible for IT professionals regarding cyber/information security.

      You can also submit anonymously and/or via secure email: https://www.traficom.fi/en/contact-details/sending-secure-em...

      This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."