They are rude, they will deny everything, if you try to escalate they threaten you (even if you show them evidences and no matter how well you documented things)... but then if you hold your ground they give up.
I'm not sure if they really believe they are right or they are trying to gaslight you hoping that you will give up
Anyway, thanks for pointing the issue out and don't let this cultural issue stop you from doing the right thing. In the end they will chicken out.
I think this part of the Belgian culture is getting on everybody's nerves. I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.
I would definitely would like to see more intellectual honesty and sportsmanship.
Thanks for your hard work and for putting up with this.
From my experience as an immigrant, it's exactly the same in Germany and Austria. For the locals who grew up into the system it doesn't feel terrible, but if you grew up in a country with common sense in business, this is infuriating.
>I think this extra 'arrogance tax' makes people think it twice before doing business in Belgium.
I think this is an intentional feature, not a bug. It's a hidden form of protectionism against EU's freedom of movement and trade, to discourage foreigners or small businesses from chapter countries with hustle mentality, to come in and displace entrenched local businesses who would like to have their cake and eat it too, since this pattern appears way too often in EUs rich countries to be just a coincidence. They specifically DON'T WANT YOUR business be opened there because then you're a competitor to the business establishment status quo there, but they can't outright say that.
I observed is that Belgian people apply the same bad treatment to other Belgian people. So I believe this has nothing to do with racism or protectionism.
The culture is simply like this, and they are both victims and perpetrators of their own behavior.
In a way, that makes me be a bit forgiving, but still, it is sad to see this unconstructive and toxic behavior.
The worst is this attitude is also applied internally in those organisations. Too often, everybody knows about some critical vulnerabilities but talking about them will get you in big troubles. This also apply to security consultants and "auditors".
The saddest part is Belgium was, if I remember correctly, at the forefront of online banking security in the early 2000s with strong auth physical tokens and digital signatures [0]
They seem to have switch to this itsme system to cut costs.
This is a very short deadline, with onerous requirements. They most likely won't give you permission to share any information about this vulnerability with anyone else. If it's a common vulnerability affecting non-Belgian entities, you'll be required to leave them uninformed and vulnerable.
The most rational response for law-abiding vulnerability researches is to stay away from everything Belgian and never report anything to them.
You'd think that you rather encourage and reward researchers to ethically hack your systems rather than having the MI5 do it, as it happened recently.
(https://www.infosecurity-magazine.com/news/how-gchq-hacked-b...)
People who make those policies have the mentality of career politicians, who only care about protecting their careers, they don't give a damn about the greater good.
You cannot expect an honest response from (ffs!) a bank! They are the most dishonest people on planet earth.
If there is a bounty, go through the hoops and do get paid. If not, then feel free to go for a lunch with someone-who-knows/trusts-someone and solve it in the d-l.. with all the plausible deniability you can get "I saw the photo of the guy/gal on LI and wanted to meet him/her for the sex.. I dunno what hacking-vuln you are talking about!"
You may think that the above is risky/dangerous/wrong; good! (https://www.youtube.com/watch?v=d-7o9xYp7eE)
It is a sad state-of-affairs that the culture is like this. Ultimately it results in a less secure society, where vulns are anonymously disclosed and shared.
No good deed left unpunished.
PeterStuer•13h ago
The 'attack' is getting the victim to confirm the identity or signature for you through social engineer them to initiate the set up of a parralel session.
This is possible for inplementations of ItsMe that only rely on Phonenumber/Application, and do not validate the actual session, e.g. by having the user scan an in session QR code.