CISPA – Helmholtz-Zentrum für Informationssicherheit gGmbH
Herrn Dr. Kevin Streit
66123 Saarbrücken, Germany
Data processing by the large scale vulnerability notification research project
Data collected by our analysis tool
Most data that our analysis tool collects while analysing the website is not considered personal data under the GDPR. In some cases it could nevertheless happen that personal data is included in the collected data if it is part in:
- The URL
- The content of certain WordPress plugin changelogs
- The content of the files defined in the security.txt draft. These files are /.well-known/security.txt and /security.txt
- The start page
- The content of other publicly accessible paths
For functionality checking purposes, we temporarily store the responses to the aforementioned requests on disk. This data is needed in order to identify security issues. The legal basis for this processing is Art. 6 (1) (f) and Art. 89 (1) GDPR. Our legitimate interest is the research on feasability and success criteria of large scale vulnerabilitiy notifications. The data will be fully anonymized or deleted after the end of the project, or after 12 months at the latest.
Data used for sending notifications
If we found a security vulnerability in an analysed website, we try to find a email address where we could report the vulnerability. We either use a functional mail address like they are defined in RFC 2142 like security@, abuse@ or webmaster@ or use a specific email given by the website as a point of contact for security vulnerabilities. We use these email addresses for communication to report the discovered vulnerabilities.
We store the email addresses and potential replies to us to evaluate the communication process as part of our research project. The legal basis for this processing is Art. 6 (1) (f) and Art. 89 (1) GDPR. Our legitimate interest is the research on feasability and success criteria of large scale vulnerabilitiy notifications. The data will be fully anonymized or deleted after the end of the project, or after 12 months at the latest.