Abstract:We introduce the Coverage Gap as a measurable distance between the public exposure of critical-infrastructure operators and their declared capability to coordinate vulnerability disclosure. We instantiate it against the 915 Chilean Operadores de Importancia Vital
(OIVs) designated by the National Cybersecurity Agency (ANCI) under Ley 21.663 (Resolucion Exenta No. 87, 2025). Using a passive-only, OSINT-based method consistent with ISO/IEC 29147:2018 and Chile's computer-crimes safe harbour (Ley 21.459), we census the
foundational disclosure-capability layer (Layer 1: a verifiable disclosure contact). Only 16 of 915 OIVs (1.7%) publish a verifiable RFC 9116 disclosure channel; all four major banks and both telecommunications incumbents lack one entirely. This compares with over
99% adherence under CISA Binding Operational Directive 20-01 (the U.S. federal Vulnerability Disclosure Policy directive; the email-authentication mandate is the separate BOD 18-01). On the secondary email-authentication axis, Chilean OIVs are comparatively strong:
DMARC enforcement (quarantine or reject) is present for 146 of 915 designations (16.0%) -- equivalently 16.6% of the 882 measurable domains -- with any-DMARC at 28.0%, above the ~11% top-1M baseline of Tatang et al. (RAID 2021). End-of-life or known-vulnerable
components affect an estimated 23.5% (Wilson 95% CI [12-38%]). We propose a four-stage remediation roadmap and release the open-source tool anci-oiv-resolver v0.6.0 (Apache 2.0) for independent reproduction of the OIV-domain mapping. This is a corrected version 2;
the email-authentication re-anchor and benchmark-label fix are documented in the 'Changes in v2' note.
From: David Mellafe Zuvic [view email]
[v1]
Thu, 4 Jun 2026 02:17:27 UTC (28 KB)
[v2]
Mon, 15 Jun 2026 07:10:36 UTC (28 KB)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。