could someone with legal/data-privacy expertise comment if this would be something they have to disclose under data breach disclosure laws?
Technically it might not be a "data leak", but it very well could result in one if arbitrary content (including js?) can be uploaded to these webpages?
they've been contacted through the "proper channels" over 18 months ago by several (more than 1) security researchers.
After some people started publicly naming and shaming on LinkedIn and tagging ENISA, the issue got some exposure, but still was not fixed. It only made it more evident that several people independently reported these issues, and they became aware of peers stumbling over the issue. Still nothing happened.
ENISA is supposed to act as a CNA and expects to be notified of data breaches from EU based orgs for PSIRT / CSIRT as part of the Cybersec Resiliance Act and other laws.
Would I trust that vulnerability data that gets reported as a CVE, or a breach notification is safe with ENSIA ?
... feck no!
Would I trust that documents that europa.eu hosts on its infra are authentic? (such as security-compliance documents telling orgs how to properly implement security, but literally any public communication under one of the domains)
... hecking heck no!
... At this stage I think everyone else except ENISA has control over their infrastructure.
Technically it might not be a "data leak", but it very well could result in one if arbitrary content (including js?) can be uploaded to these webpages?