pith. sign in

arxiv: 2606.25950 · v1 · pith:VI4JAWDHnew · submitted 2026-06-24 · 💻 cs.CR

Do (Not) Tell Me About My Insecurities: Assessing the Status Quo of Coordinated Vulnerability Disclosure in Germany Amid New EU Cybersecurity Regulations

Sebastian Neef , Cenk Schlunke , Anne Hennig This is my paper

Pith reviewed 2026-06-25 20:06 UTC · model grok-4.3

classification 💻 cs.CR
keywords coordinated vulnerability disclosureCVDDAX companiesNIS2CRAsecurity.txtcybersecurity regulationsvulnerability reporting
0
0 comments X

The pith

German DAX companies raised coordinated vulnerability disclosure adoption from 50% to over 90% between 2023 and 2025.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper follows the spread of formal ways for outsiders to report security flaws at Germany's forty largest listed firms. It records a sharp rise in programs and contact files after new European rules took effect. Survey replies from a fifth of the firms point to legal duties as the main reason for the change, while shortages of staff and uneven report quality count as ongoing problems. Because the work covers an entire national stock index over two years, it supplies a measurable baseline that smaller businesses and rule-makers can consult when rolling out similar practices.

Core claim

Adoption of CVD programs and security.txt files among the 40 DAX companies rose from 50 percent in 2023 to more than 90 percent in 2025, accompanied by ten new CVD programs and twenty-five new security.txt files; legal obligations under NIS2 and CRA are named as adoption drivers while lack of human resources and varying report quality are listed as drawbacks.

What carries the argument

Longitudinal tracking of public CVD information plus emailed and mailed questionnaires sent to all forty DAX companies, with responses received from twenty percent.

If this is right

  • Policymakers receive direct reports of practical difficulties that arise once companies begin operating under the new EU rules.
  • Smaller firms gain a concrete reference point when deciding whether and how to create their own reporting channels.
  • Ten additional CVD programs and twenty-five additional security.txt files document measurable growth in contact points.
  • Staffing shortages and inconsistent incoming reports remain obstacles that must be addressed for the programs to function well.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same regulatory pressure could produce comparable adoption jumps in other EU member states that must also implement NIS2 and CRA.
  • Repeating the survey on a broader set of German companies would show whether the rise is limited to large listed firms or has spread more widely.
  • High formal adoption may still leave many reports unaddressed if resource limits prevent timely review.

Load-bearing premise

The twenty percent of companies that answered the questionnaires plus the public data they supplied give an accurate picture of CVD practices across the full set of forty DAX firms.

What would settle it

A later survey that reaches a majority of the same forty companies and records an overall CVD adoption rate below seventy percent for 2025.

Figures

Figures reproduced from arXiv: 2606.25950 by Anne Hennig, Cenk Schlunke, Sebastian Neef.

Figure 1
Figure 1. Figure 1: Timeline and contact phases of the Primary Survey and Secondary Survey. and a second time on January 24, 2025, at the end of the Secondary Survey. First, we checked for security.txt files [28] on the companies’ websites (see Table II in Section A) in accordance with the paths and protocol defined in the RFC [28]. Second, we used a search engine (Google.com) or browsed a company’s website to look for refere… view at source ↗
Figure 2
Figure 2. Figure 2: Comparison of the adoption of CVD programs and security.txt files [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
read the original abstract

In our increasingly interconnected world, good IT security practices are necessary to prevent vulnerabilities and data breaches. Providing security contacts, e.g., via Coordinated Vulnerability Disclosure (CVD) programs or security.txt files, is an important practice for businesses to facilitate vulnerability reporting by external parties. As part of a longitudinal study, we analyzed the adoption of, as well as the challenges and experiences with, CVD programs among the 40 companies listed on Germany's DAX (the country's primary stock market index). In addition to monitoring publicly available information about their CVD programs, we sent out questionnaires via email and postal mail in 2023 and 2025, and received answers from 20\% of the companies. The adoption rates show a significant increase from 50\% (2023) to over 90\% (2025), with ten new CVD programs and 25 new security.txt files now available. The survey answers reveal that, for example, legal obligations (e.g., NIS2 and CRA) drive the adoption of CVD practices, but a lack of (human) resources and varying report quality are considered drawbacks. As the first study to survey 40 German stock market index (DAX) companies on their CVD practices, our results can help foster the adoption and understanding of security programs among SMEs and other companies, and provide policymakers with insights into practical challenges and industry experiences.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper reports results from a longitudinal study of Coordinated Vulnerability Disclosure (CVD) adoption among Germany's 40 DAX companies. Public monitoring combined with 2023 and 2025 questionnaires (20% response rate) shows adoption rising from 50% to over 90%, including ten new CVD programs and 25 new security.txt files. Legal obligations (NIS2, CRA) are identified as primary drivers while resource shortages and variable report quality are listed as drawbacks. The work positions itself as the first such survey of DAX firms.

Significance. If the public-monitoring counts prove reproducible, the longitudinal data would supply concrete evidence of regulatory impact on large-firm security practices and could usefully inform both policy and SME guidance.

major comments (2)
  1. [Methodology] Methodology (public monitoring paragraph): No search protocol, exact operational definition of 'CVD program,' or verification procedure for security.txt files is described. These details are required to reproduce the headline counts that underpin the claimed rise from 50% to over 90% adoption.
  2. [Results] Results (survey responses): The 20% response rate is reported without non-response bias analysis, confidence intervals, or any cross-check of self-reported data. This directly affects the reliability of the stated challenges and drivers drawn from the questionnaire answers.
minor comments (1)
  1. [Abstract] Abstract: 'over 90%' is stated without an exact figure or reference to the table that lists the precise 2025 count.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on our manuscript. We address each major comment below and commit to revisions that enhance methodological transparency and acknowledge survey limitations.

read point-by-point responses

  1. Referee: [Methodology] Methodology (public monitoring paragraph): No search protocol, exact operational definition of 'CVD program,' or verification procedure for security.txt files is described. These details are required to reproduce the headline counts that underpin the claimed rise from 50% to over 90% adoption.

    Authors: We agree that the public monitoring description is insufficient for reproducibility. The revised manuscript will add a dedicated methods subsection specifying the search protocol (systematic queries on company domains and security-related keywords across 2023 and 2025), the operational definition of a CVD program (presence of a dedicated vulnerability disclosure policy or contact channel meeting basic criteria), and the verification procedure for security.txt files (automated field checks per RFC 9116 followed by manual confirmation of accessibility and content). These additions will directly support the reported adoption increase. revision: yes

  2. Referee: [Results] Results (survey responses): The 20% response rate is reported without non-response bias analysis, confidence intervals, or any cross-check of self-reported data. This directly affects the reliability of the stated challenges and drivers drawn from the questionnaire answers.

    Authors: We accept that the survey results section requires stronger qualification. The revision will incorporate a limitations paragraph addressing the 20% response rate, potential non-response bias (e.g., larger firms with established programs may have been more likely to respond), and the absence of formal confidence intervals. We will also document cross-checks between questionnaire answers and publicly observable CVD elements where available. A full statistical non-response bias analysis cannot be performed retrospectively without additional non-respondent data. revision: partial

Circularity Check

0 steps flagged

No circularity: purely observational survey with direct counts

full rationale

The paper reports adoption rates via public monitoring and a 20% questionnaire response among 40 DAX companies, presenting raw counts (50% to >90%, ten new programs, 25 new security.txt files) and self-reported challenges. No equations, fitted parameters, model predictions, or derivation steps exist. No self-citations are load-bearing for the central claims, and results do not reduce to prior inputs by construction. This is a standard empirical survey without the circular patterns defined.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

Empirical survey study with no free parameters, no invented entities, and only standard domain assumptions of survey research.

axioms (2)
  • domain assumption 20% questionnaire response rate plus public data suffices to characterize practices of all 40 DAX companies
    Central claims about adoption rates and drivers rest on this representativeness assumption stated in the abstract.
  • domain assumption Self-reported reasons for adoption (legal obligations, resource issues) accurately reflect company experiences
    Survey answers are taken as evidence of motivations and drawbacks without further validation mentioned.

pith-pipeline@v0.9.1-grok · 5793 in / 1426 out tokens · 29478 ms · 2026-06-25T20:06:54.602934+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

61 extracted references · 13 canonical work pages

  1. [1]

    Have I Been Pwned: Check if your email has been compromised in a data breach — haveibeenpwned.com,

    T. Hunt, “Have I Been Pwned: Check if your email has been compromised in a data breach — haveibeenpwned.com,” 2025, [Accessed 07-03-2025]. [Online]. Available: https://haveibeenpwned. com/

    2025

  2. [2]

    HackerOne — hackerone.com,

    HackerOne, “HackerOne — hackerone.com,” 2025, [Accessed 07-03- 2025]. [Online]. Available: https://hackerone.com/hacktivity/overview

    2025

  3. [3]

    Managed bug bounty programs, a better approach to security — bugcrowd.com,

    Bugcrowd, “Managed bug bounty programs, a better approach to security — bugcrowd.com,” 2025, [Accessed 07-03-2025]. [Online]. Available: https://bugcrowd.com/crowdstream

    2025

  4. [4]

    The Matter of Heartbleed,

    Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V . Paxson, M. Bailey, and J. A. Halderman, “The Matter of Heartbleed,” inProceedings of the 2014 Conference on Internet Measurement Conference, ser. IMC ’14. New York, NY , USA: Association for Computing Machinery, 2014, p. 475–488. [Online]. Available: https://doi.org/...

    work page doi:10.1145/2663716.2663755 2014

  5. [5]

    Exit from Hell? Reducing the Impact of Amplification DDoS Attacks,

    M. Kührer, T. Hupperich, C. Rossow, and T. Holz, “Exit from Hell? Reducing the Impact of Amplification DDoS Attacks,” in23rd USENIX Security Symposium (USENIX Security 14). San Diego, CA: USENIX Association, Aug. 2014, pp. 111–125. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity14/technical-sessions/presentation/kuhrer

    2014

  6. [6]

    You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications,

    F. Li, Z. Durumeric, J. Czyz, M. Karami, M. Bailey, D. McCoy, S. Savage, and V . Paxson, “You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications,” in25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, Aug. 2016, pp. 1033–1050. [Online]. Available: https://www.usenix. org/conference/usenixsecurity16/techn...

    2016

  7. [7]

    Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension,

    F. Li, G. Ho, E. Kuan, Y . Niu, L. Ballard, K. Thomas, E. Bursztein, and V . Paxson, “Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension,” inProceedings of the 25th International Conference on World Wide Web, ser. WWW ’16. Republic and Canton of Geneva, CHE: International World Wide Web Conferences Steering Committee, 2016, p....

    work page doi:10.1145/2872427.2883039 2016

  8. [8]

    Deployment of Source Address Validation by Network Operators: A Randomized Control Trial,

    Q. Lone, A. Frik, M. Luckie, M. Korczy ´nski, M. van Eeten, and C. Gañán, “Deployment of Source Address Validation by Network Operators: A Randomized Control Trial,” in2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 2361–2378. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/9833701

    arXiv 2022

  9. [9]

    Snail Mail Beats Email Any Day:On Effective Operator Security Notifications in the Internet,

    M. Maaß, M.-P. Clement, and M. Hollick, “Snail Mail Beats Email Any Day:On Effective Operator Security Notifications in the Internet,” inProceedings of the 16th International Conference on Availability, Reliability and Security, ser. ARES ’21. New York, NY , USA: Association for Computing Machinery, 2021. [Online]. Available: https://doi.org/10.1145/34654...

    work page doi:10.1145/3465481.3465743 2021

  10. [10]

    Effective Notification Campaigns on the Web: A Matter of Trust, Framing, and Support,

    M. Maass, A. Stöver, H. Pridöhl, S. Bretthauer, D. Herrmann, M. Hollick, and I. Spiecker, “Effective Notification Campaigns on the Web: A Matter of Trust, Framing, and Support,” in30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Aug. 2021, pp. 2489–2506. [Online]. Available: https: //www.usenix.org/conference/usenixsecurity21/prese...

    2021

  11. [11]

    Don’t Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates,

    Y . Nosyk, M. Korczy ´nski, C. H. Gañán, M. Król, Q. Lone, and A. Duda, “Don’t Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates,” in2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2023, pp. 1480–1489. [Online]. Available: https://ieeexplore.ieee.org/abstra...

    arXiv 2023

  12. [12]

    User compliance and remediation success after IoT malware notifications,

    E. Rodríguez, S. Verstegen, A. Noroozian, D. Inoue, T. Kasama, M. van Eeten, and C. H. Gañán, “User compliance and remediation success after IoT malware notifications,”Journal of Cybersecurity, vol. 7, no. 1, p. tyab015, 07 2021. [Online]. Available: https: //doi.org/10.1093/cybsec/tyab015

    work page doi:10.1093/cybsec/tyab015 2021

  13. [13]

    Didn’t You Hear Me? — Towards More Successful Web Vulnerability Notifications,

    B. Stock, G. Pellegrino, F. Li, M. Backes, and C. Rossow, “Didn’t You Hear Me? — Towards More Successful Web Vulnerability Notifications,” 2 2018. [Online]. Available: https://publications.cispa.de/ articles/conference_contribution/Didn_t_You_Hear_Me_---_Towards_ More_Successful_Web_Vulnerability_Notifications/24612648

    arXiv 2018

  14. [14]

    Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification,

    B. Stock, G. Pellegrino, C. Rossow, M. Johns, and M. Backes, “Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification,” in25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, Aug. 2016, pp. 1015–1032. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity16/technical-session...

    2016

  15. [15]

    Compromised Websites: An Owner’s Perspective,

    StopBadware and Commtouch, “Compromised Websites: An Owner’s Perspective,” pp. 1 – 15, 2012. [Online]. Available: https://www. stopbadware.org/files/compromised-websites-an-owners-perspective.pdf

    2012

  16. [16]

    Do Malware Reports Expedite Cleanup? An Experimental Study,

    “Do Malware Reports Expedite Cleanup? An Experimental Study,” in5th Workshop on Cyber Security Experimentation and Test (CSET 12). Bellevue, W A: USENIX Association, Aug

  17. [17]

    Available: https://www.usenix.org/conference/cset12/ workshop-program/presentation/Vasek

    [Online]. Available: https://www.usenix.org/conference/cset12/ workshop-program/presentation/Vasek

  18. [18]

    Fixing HTTPS misconfigurations at scale: An experiment with security notifications,

    E. Zeng, F. Li, E. Stark, A. P. Felt, and P. Tabriz, “Fixing HTTPS misconfigurations at scale: An experiment with security notifications,” inWorkshop on the Economics of Information Security, 2019. [Online]. Available: https: //d1wqtxts1xzle7.cloudfront.net/99658198/li-weis2019-libre.pdf

    arXiv 2019

  19. [19]

    Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning,

    O. Cetin, C. Ganan, M. Korczynski, and M. Van Eeten, “Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning,” inWorkshop on the Economics of Information Security (WEIS), vol. 23, 2017. [Online]. Available: https://repository. tudelft.nl/record/uuid:621f4a4f-e5d9-4f04-abc4-46252f9db3db

    2017

  20. [20]

    Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens,

    O. Çetin, C. Gañán, L. Altena, S. Tajalizadehkhoob, and M. van Eeten, “Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens,” inFourteenth Symposium on Usable Privacy and Security (SOUPS 2018). Baltimore, MD: USENIX Association, Aug. 2018, pp. 251–263. [Online]. Available: https://www.usenix.org/conference/soups2018...

    2018

  21. [21]

    Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai,

    O. Çetin, C. H. Gañán, L. Altena, T. Kasama, D. Inoue, K. Tamiya, Y . Tie, K. Yoshioka, and M. van Eeten, “Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai,”Proceedings 2019 Network and Distributed System Security Symposium, 2019. [Online]. Available: https://doi.org/10. 14722/ndss.2019.23438

    arXiv 2019

  22. [22]

    Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Networks,

    O. Çetin, C. Gañán, L. Altena, S. Tajalizadehkhoob, and M. van Eeten, “Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Networks,” in2019 IEEE European Symposium on Security and Privacy (EuroS&P), 2019, pp. 326–339. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/8806733

    arXiv 2019

  23. [23]

    Understanding the role of sender reputation in abuse reporting and cleanup,

    O. Çetin, M. Hanif Jhaveri, C. Gañán, M. van Eeten, and T. Moore, “Understanding the role of sender reputation in abuse reporting and cleanup,”Journal of Cybersecurity, vol. 2, no. 1, pp. 83–98, 12 2016. [Online]. Available: https://doi.org/10.1093/cybsec/tyw005

    work page doi:10.1093/cybsec/tyw005 2016

  24. [24]

    Are You Sure You Want To Do Coordinated Vulnerability Disclosure?

    T.-H. Chen, C. Tagliaro, M. Lindorfer, K. Borgolte, and J. Van Der Ham-De V os, “Are You Sure You Want To Do Coordinated Vulnerability Disclosure?” in2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2024, pp. 307–314. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/10628550

    arXiv 2024

  25. [25]

    Vulnerability Disclosure Considered Stressful,

    G. C. M. Moura and J. Heidemann, “Vulnerability Disclosure Considered Stressful,”SIGCOMM Comput. Commun. Rev., vol. 53, no. 2, p. 2–10, Jul. 2023. [Online]. Available: https://doi.org/10.1145/ 3610381.3610383

    arXiv 2023

  26. [26]

    Directive - 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union,

    European Union, “Directive - 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union,” 2022, [Accessed 07-03-2025]. [Online]. Available: https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng

    2022

  27. [27]

    Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations,

    T. Walshe and A. Simpson, “Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations,”Computers & Security, vol. 123, p. 102936, 2022. [Online]. Available: https: //www.sciencedirect.com/science/article/pii/S0167404822003285

    2022

  28. [28]

    Vulnerability Coordination Under the Cyber Resilience Act,

    J. Ruohonen and P. Timmers, “Vulnerability Coordination Under the Cyber Resilience Act,” 2025, [Accessed 07-03-2025]. [Online]. Available: https://arxiv.org/abs/2412.06261

    arXiv 2025

  29. [29]

    RFC 9116: A File Format to Aid in Security Vulnerability Disclosure — datatracker.ietf.org,

    Y . Shafranovich and E. Foudil, “RFC 9116: A File Format to Aid in Security Vulnerability Disclosure — datatracker.ietf.org,” 2022, [Accessed 12-01-2025]. [Online]. Available: https://datatracker.ietf.org/ doc/html/rfc9116

    2022

  30. [30]

    Who you gonna call? an empirical evaluation of website security.txt deployment,

    T. Poteat and F. Li, “Who you gonna call? an empirical evaluation of website security.txt deployment,” inProceedings of the 21st ACM Internet Measurement Conference, ser. IMC ’21. New York, NY , USA: Association for Computing Machinery, 2021, p. 526–532. [Online]. Available: https://doi.org/10.1145/3487552.3487841

    work page doi:10.1145/3487552.3487841 2021

  31. [31]

    security.txt revisited: Analysis of prevalence and conformity in 2022,

    T. Hilbig, T. Geras, E. Kupris, and T. Schreck, “security.txt revisited: Analysis of prevalence and conformity in 2022,”Digital Threats, vol. 4, no. 3, Oct. 2023. [Online]. Available: https://doi.org/10.1145/3609234

    work page doi:10.1145/3609234 2022

  32. [32]

    Characterizing the adoption of security. txt files and their applications to vulnerability notification,

    W. P. Findlay and A. Abdou, “Characterizing the adoption of security. txt files and their applications to vulnerability notification,” inProceedings of the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), 2022. [Online]. Available: https: //www.ndss-symposium.org/ndss-paper/auto-draft-282/

    2022

  33. [33]

    ISO/IEC 29147:2018(en), Information technology — Security techniques — Vulnerability disclosure,

    ISO Central Secretary, “ISO/IEC 29147:2018(en), Information technology — Security techniques — Vulnerability disclosure,”

    2018

  34. [34]

    Available: https://www.iso.org/obp/ui/en/#iso:std: iso-iec:29147:ed-2:v1:en

    [Online]. Available: https://www.iso.org/obp/ui/en/#iso:std: iso-iec:29147:ed-2:v1:en

  35. [35]

    Coordinated Vulnerability Disclosure policies in the EU - Coordinated Vulnerability Disclosure policies in the EU,

    European Union Agency for Cybersecurity (ENISA), “Coordinated Vulnerability Disclosure policies in the EU - Coordinated Vulnerability Disclosure policies in the EU,” Tech. Rep., 2022. [Online]. Available: https://www.enisa.europa.eu/sites/default/files/publications/ CoordinatedVulnerabilityDisclosurepoliciesintheEU.pdf

    2022

  36. [36]

    Leitlinie des BSI zum Coordinated Vulnerability Disclosure (CVD)-Prozess,

    German Federal Office for Information Security, “Leitlinie des BSI zum Coordinated Vulnerability Disclosure (CVD)-Prozess,” Tech. Rep., 2022. [Online]. Available: https://www.bsi.bund.de/SharedDocs/Downloads/ DE/BSI/CVD/CVD-Leitlinie.pdf?__blob=publicationFile&v=4

    2022

  37. [37]

    The CERT Guide to Coordinated Vulnerability Disclosure,

    A. D. Householder, G. Wassermann, A. Manion, and C. King, “The CERT Guide to Coordinated Vulnerability Disclosure,” Tech. Rep.,

  38. [38]

    Available: https://insights.sei.cmu.edu/documents/1945/ 2017_003_001_503340.pdf

    [Online]. Available: https://insights.sei.cmu.edu/documents/1945/ 2017_003_001_503340.pdf

    1945

  39. [39]

    Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor,

    N. Vandezande, “Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor,”Computer Law & Security Review, vol. 52, p. 105890, 2024. [Online]. Available: https: //www.sciencedirect.com/science/article/pii/S0267364923001000

    2024

  40. [40]

    The legal aspects of cybersecurity vulnerability disclosure: To the NIS 2 and beyond,

    J. V ostoupal, V . Stupka, J. Harašta, F. Kasl, P. Loutocký, and K. Malinka, “The legal aspects of cybersecurity vulnerability disclosure: To the NIS 2 and beyond,”Computer Law & Security Review, vol. 53, p. 105988, 2024. [Online]. Available: https: //www.sciencedirect.com/science/article/pii/S0267364924000554

    2024

  41. [41]

    Responsible Vulnerability Disclosure under the NIS 2.0 Proposal,

    S. Schmitz and S. Schiffner, “Responsible Vulnerability Disclosure under the NIS 2.0 Proposal,”Journal of Intellectual Property, Information, Technology, and Electronic Commerce Law, vol. 5, no. 12, pp. 448–457, 2021. [Online]. Available: https://www.jipitec.eu/jipitec/ article/view/336/

    2021

  42. [42]

    Y . S. Pil,The Way Forward for Security Vulnerability Disclosure Policy: Comparative Analysis of US, EU, and Netherlands. Cham: Springer International Publishing, 2023, pp. 119–131. [Online]. Available: https://doi.org/10.1007/978-3-031-19608-9_10

    work page doi:10.1007/978-3-031-19608-9_10 2023

  43. [43]

    Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure,

    M. W. Kranenbarg, T. J. Holt, and J. v. d. Ham, “Don’t shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure,”Crime Science, vol. 7, no. 1, p. 16, 2018. [Online]. Available: https://link.springer.com/article/10. 1186/s40163-018-0090-8#citeas

    2018

  44. [44]

    How website owners face privacy issues: Thematic analysis of responses from a covert notification study reveals diverse circumstances and challenges,

    A. Stöver, N. Gerber, H. Pridöhl, M. Maass, S. Bretthauer, M. Hollick, D. Herrmannet al., “How website owners face privacy issues: Thematic analysis of responses from a covert notification study reveals diverse circumstances and challenges,”Proceedings on Privacy Enhancing Technologies, 2023

    2023

  45. [45]

    Comparing Large-Scale Privacy and Security Notifications,

    C. Utz, M. Michels, M. Degeling, N. Marnau, and B. Stock, “Comparing Large-Scale Privacy and Security Notifications,” inPETS 2023, July

    2023

  46. [46]

    Available: https://publications.cispa.saarland/3918/

    [Online]. Available: https://publications.cispa.saarland/3918/

  47. [47]

    Your Vulnerability Disclosure Is Important To Us: An Analysis of Coordinated Vulnerability Disclosure Responses Using a Real Security Issue,

    K. van Hove, J. van der Ham-de V os, and R. van Rijswijk-Deij, “Your Vulnerability Disclosure Is Important To Us: An Analysis of Coordinated Vulnerability Disclosure Responses Using a Real Security Issue,” 2023, [Accessed 20-01-2025]. [Online]. Available: https://arxiv.org/abs/2312.07284

    arXiv 2023

  48. [48]

    An Empirical Study of Bug Bounty Programs,

    T. Walshe and A. Simpson, “An Empirical Study of Bug Bounty Programs,” in2020 IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF), 2020, pp. 35–44. [Online]. Available: https: //ieeexplore.ieee.org/abstract/document/9034828

    arXiv 2020

  49. [49]

    Why Some Bug-bounty Vulnerability Reports are Invalid? Study of bug- bounty reports and developing an out-of-scope taxonomy model,

    S. Shafigh, B. Benatallah, C. Rodríguez, and M. Al-Banna, “Why Some Bug-bounty Vulnerability Reports are Invalid? Study of bug- bounty reports and developing an out-of-scope taxonomy model,” in Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), ser. ESEM ’21. New York, NY , USA: Association...

  50. [50]

    Available: https://doi.org/10.1145/3475716.3484193

    [Online]. Available: https://doi.org/10.1145/3475716.3484193

    work page doi:10.1145/3475716.3484193

  51. [51]

    Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents,

    T. Walshe and A. Simpson, “Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents,”Digital Threats, vol. 4, no. 2, Aug. 2023. [Online]. Available: https: //doi.org/10.1145/3586180

    work page doi:10.1145/3586180 2023

  52. [52]

    No One Drinks From the Firehose: How Organizations Filter and Prioritize Vulnerability Information,

    S. de Smale, R. van Dijk, X. Bouwman, J. van der Ham, and M. van Eeten, “No One Drinks From the Firehose: How Organizations Filter and Prioritize Vulnerability Information,” in2023 IEEE Symposium on Security and Privacy (SP), 2023, pp. 1980–1996. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/10179447

    arXiv 2023

  53. [53]

    From Chaos to Consistency: The Role of CSAF in Streamlining Security Advisories,

    J. Wunder, J. Aurich, and Z. Benenson, “From Chaos to Consistency: The Role of CSAF in Streamlining Security Advisories,” in Proceedings of the 2024 European Symposium on Usable Security, ser. EuroUSEC ’24. New York, NY , USA: Association for Computing Machinery, 2024, p. 187–199. [Online]. Available: https: //doi.org/10.1145/3688459.3688463

    work page doi:10.1145/3688459.3688463 2024

  54. [54]

    GDP of Europe’s biggest economies 1980-2029 | Statista — statista.com,

    A. O’Neill, “GDP of Europe’s biggest economies 1980-2029 | Statista — statista.com,” 2025, [Accessed 07-03-2025]. [Online]. Available: https:// www.statista.com/statistics/959301/gdp-of-europes-biggest-economies/

    1980

  55. [55]

    § 5 TMG - Allgemeine Informationspflichten - dejure.org — dejure.org,

    dejure.org, “§ 5 TMG - Allgemeine Informationspflichten - dejure.org — dejure.org,” 2021, [Accessed 12-01-2025]. [Online]. Available: https://dejure.org/gesetze/TMG/5.html

    2021

  56. [56]

    Ddg - digitale-dienste-gesetz *,

    Bundesamt für Justiz, “Ddg - digitale-dienste-gesetz *,” [Accessed 07-07-2025]. [Online]. Available: https://www.gesetze-im-internet.de/ ddg/BJNR0950B0024.html

    2025

  57. [57]

    RFC 2142: Mailbox Names for Common Services, Roles and Functions — datatracker.ietf.org,

    D. Crocker, “RFC 2142: Mailbox Names for Common Services, Roles and Functions — datatracker.ietf.org,” 1997, [Accessed 12-01-2025]. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc2142

    1997

  58. [58]

    Learning to detect phishing emails,

    I. Fette, N. Sadeh, and A. Tomasic, “Learning to detect phishing emails,” inProceedings of the 16th International Conference on World Wide Web, ser. WWW ’07. New York, NY , USA: Association for Computing Machinery, 2007, p. 649–656. [Online]. Available: https://doi.org/10.1145/1242572.1242660

    work page doi:10.1145/1242572.1242660 2007

  59. [59]

    Feature selection for Spam and Phishing detection,

    F. Toolan and J. Carthy, “Feature selection for Spam and Phishing detection,” in2010 eCrime Researchers Summit, 2010, pp. 1–12

    2010

  60. [60]

    “Your Cookie Disclaimer is Not in Line with the Ideas of the GDPR. Why?

    A. Hennig, H. Dietmann, F. Lehr, M. Mutter, M. V olkamer, and P. Mayer, ““Your Cookie Disclaimer is Not in Line with the Ideas of the GDPR. Why?”,” inHuman Aspects of Information Security and Assurance, N. Clarke and S. Furnell, Eds. Cham: Springer International Publishing, 2022, pp. 218–227. [Online]. Available: https://link.springer.com/chapter/10.1007/...

    work page doi:10.1007/978-3-031-12172-2_17 2022

  61. [61]

    Standing out among the daily spam: How to catch website owners’ attention by means of vulnerability notifications,

    A. Hennig, F. Neusser, A. A. Pawelek, D. Herrmann, and P. Mayer, “Standing out among the daily spam: How to catch website owners’ attention by means of vulnerability notifications,”CHI Conference on Human Factors in Computing Systems Extended Abstracts, pp. 1–8, 2022. APPENDIX APPENDIXA GERMANDAX COMPANIES TABLE II GERMANDAXCOMPANIES AND THEIR WEBSITES Co...

    2022