The importance of post-build audits: Do you know what you ship?

You might wonder what this blog post is about. Well, let us tell you a story about how we found a critical vulnerability in the Dutch Electoral Council (Kiesraad) development infrastructure…

Maarten Boone, our dear colleague, was having a quiet dinner with his cats in his apartment on a drizzly Tuesday in July.

He was pondering about a significant Coordinated Vulnerability Disclosure (CVD) he had just submitted to a major medical company together with the Zerocopter team. And he felt pumped about it but also a bit lost, as it had taken up a lot of his time and now… nothing. Finished. Done.

Thinking about what to do next, his mind drifted towards an old project he had previously looked at - the OSV2020 software, which facilitates Dutch elections and is provided by the Electoral Council (Kiesraad). He had thought about creating a new tool, so he could test his ideas on this project and see if it worked. And maybe even find some more issues to report to them.