They are rude, they will deny everything, if you try to escalate they threaten you (even if you show them evidences and no matter how well you documented things)... but then if you hold your ground they give up.
I'm not sure if they really believe they are right or they are trying to gaslight you hoping that you will give up
Anyway, thanks for pointing the issue out and don't let this cultural issue stop you from doing the right thing. In the end they will chicken out.
I think this part of the Belgian culture is getting on everybody's nerves. I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.
I would definitely would like to see more intellectual honesty and sportsmanship.
Thanks for your hard work and for putting up with this.
From my experience as an immigrant, it's exactly the same in Germany and Austria. For the locals who grew up into the system it doesn't feel terrible, but if you grew up in a country with common sense in business, this is infuriating.
>I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.
I think this is an intentional feature, not a bug. It's a hidden form of protectionism against EU's freedom of movement and trade, to discourage foreigners or small businesses from chapter countries with hustle mentality, to come in and displace entrenched local businesses who would like to have their cake and eat it too, since this pattern appears way too often in EUs rich countries to be just a coincidence. They specifically DON'T WANT YOUR business be opened there because then you're a competitor to the business establishment status quo there, but they can't outright say that.
The worst is this attitude is also applied internally in those organisations. Too often, everybody knows about some critical vulnerabilities but talking about them will get you in big troubles. This also apply to security consultants and "auditors".
The saddest part is Belgium was, if I remember correctly, at the forefront of online banking security in the early 2000s with strong auth physical tokens and digital signatures [0]
They seem to have switch to this itsme system to cut costs.
This is a very short deadline, with onerous requirements. They most likely won't give you permission to share any information about this vulnerability with anyone else. If it's a common vulnerability affecting non-Belgian entities, you'll be required to leave them uninformed and vulnerable.
The most rational response for law-abiding vulnerability researches is to stay away from everything Belgian and never report anything to them.
PeterStuer•1h ago
The 'attack' is getting the victim to confirm the identity or signature for you through social engineer them to initiate the set up of a parralel session.
This is possible for inplementations of ItsMe that only rely on Phonenumber/Application, and do not validate the actual session, e.g. by having the user scan an in session QR code.