CaptchaLa Blog

Appearance

The Coverage Gap: Chile's Cyber Disclosure Framework versus the USA, EU and UK

Source: arXiv:2606.05594 · Published 2026-06-04 · By David Mellafe Z

TL;DR

This paper introduces the concept of the Coverage Gap, defined as the measurable distance between the observable public cybersecurity disclosure capabilities of critical infrastructure operators and their declared capacity to coordinate vulnerability response. The authors apply this metric comprehensively to Chile’s 915 Operadores de Importancia Vital (OIVs), using a passive OSINT methodology compliant with ISO/IEC 29147:2018 and Chilean cybercrime law. The study reveals an extremely low adoption of verifiable vulnerability disclosure channels (only 1.7%), widespread email authentication misconfigurations (84%), and an estimated 23.5% prevalence of outdated or vulnerable software stacks among Chilean OIVs. Cross-jurisdictional benchmarking situates Chile approximately 8 years behind US, UK, and Dutch mandates on email security and 3 years behind Denmark. The authors propose a practical four-stage regulatory roadmap modeled on US CISA BOD 18-01 and UK DMARC toolkits, also releasing an open-source tool (anci-oiv-resolver) to enable independent large-scale auditing.

Key results show Chile’s critical-infrastructure sector remains significantly underserved in foundational disclosure capabilities, exposing a major operational gap that undermines the efficacy of its newer cybersecurity regulation. This Coverage Gap threatens effective vulnerability remediation coordination and risks greater impact from cyber incidents. The paper quantifies three Coverage Gap layers—verifiable contact, visible attack surface, and full coordination capability—and benchmarks Chile’s limited progress against mature ecosystems. The proposed roadmap focuses on measurable, externally verifiable technical baselines and mandated adoption pathways, providing Chilean authorities with a concrete, evidence-based foundation for advancing cybersecurity maturity in vital sectors.

Key findings

  • Only 16 out of 915 Chilean OIVs (1.7%) publish a verifiable RFC 9116 security.txt-based vulnerability disclosure channel (Layer 1).
  • Among physical infrastructure sectors (energy, health, banking, telecom, fuel, water, transport, state admin), fewer than 10 OIVs publish a Layer 1 channel; notably, all four major banks and both telecom incumbents lack any discovered channel.
  • Email authentication misconfigurations affect 766 of 915 OIVs (84%), including legacy SPF, missing/broken DKIM, and DMARC policies set to 'none' without enforcement.
  • An estimated 23.5% (Wilson 95% CI [12%, 38%]) of OIVs expose end-of-life or vulnerable software stack components based on passive banner collection on a 25-entity Shodan sample subset.
  • Layer 2 (public attack surface visibility) capability is estimated at approximately 3.5% (around 32 entities), and Layer 3 (full disclosure coordination capability) at approximately 2.8% (around 26 entities).
  • Banking and finance sector exhibits the highest mean CVSS severity of identified vulnerabilities (~7.8 vs. universe mean 6.2), with finance and telecom sectors showing disproportionate severity relative to size.
  • Cross-jurisdictional benchmarking situates Chile roughly 8 years behind the USA, UK, and Netherlands on mandated email authentication adoption, and about 3 years behind Denmark.
  • By contrast, US federal civilian agencies under CISA BOD 18-01 achieved over 99% DMARC enforcement adoption within 3 years of directive issuance.

Threat model

The threat model centers on external adversaries who seek to exploit vulnerabilities in Chilean critical infrastructure, including nation-state or criminal actors leveraging social engineering, technical exploits, or supply-chain attacks. The adversary may discover vulnerabilities independently or through external researchers. The key defensive assumption is that operators with verifiable disclosure channels enable coordinated vulnerability management, mitigating adversary impact. However, operators without such channels leave vulnerabilities unreported and unmitigated, increasing risk exposure. The study assumes adversaries do not have insider access and that the researchers do not perform active attacks or unauthorized probing.

Methodology — deep read

  1. Threat Model & Assumptions: The adversary is implied as opportunistic attackers targeting Chilean critical infrastructure who may exploit undisclosed vulnerabilities; the audit focuses on whether operators have exposed, verifiable channels to receive vulnerability reports from external researchers—the assumption being operators without such channels cannot coordinate disclosure effectively. The study assumes no active probing or exploitation, purely passive observation. No assumptions of internal operator cooperation beyond observable indicators.

  2. Data: The universe studied is all 915 legally designated Operadores de Importancia Vital (OIVs) per Chile's ANCI Resolución Exenta No 87 (Dec 2025). A canonical mapping from OIV tax IDs (RUTs) to public Internet domains was curated using the open-source anci-oiv-resolver tool, covering roughly 98.7% of OIVs. The audit collected openly published information such as security.txt files (RFC 9116), DNS records for email-authentication (SPF, DKIM, DMARC), public web pages, certificate transparency logs, and publicly available Internet scan metadata (including Shodan banner data for software versioning).

  3. Architecture/Algorithm: The Coverage Gap framework decomposes disclosure capability into three layers—Layer 1: verifiable disclosure contact (machine-readable security.txt or explicit security contact emails); Layer 2: documented public attack surface including correct email authentication records and HTTPS presence; Layer 3: full disclosure coordination with published policies and evidence of past coordinated disclosures. This work performs a full census for Layer 1 across the entire universe via passive HTTP fetching of /.well-known/security.txt and website scraping; Layers 2 and 3 are estimated from sampled data and heuristics. Multi-layer validation filters out false positives using consistency checks on version strings, data type matching, and semantic confirmation.

  4. Training Regime: Not applicable, as the study is empirical and measurement-based without machine learning or model training. Validation thresholds are manually designed to avoid false positives at the expense of some false negatives.

  5. Evaluation Protocol: Universe-scale enumeration for Layer 1 (via standardized passive scanning methods), and sample-based estimation with Wilson confidence intervals for Layer 3 (e.g., software stack vulnerability prevalence from a 25-entity Shodan-enriched subset). Baselines include US CISA BOD 18-01 compliance data, UK NCSC public DMARC adoption stats, EU NIS2 transposition coverage, Netherlands comply-or-explain DMARC adoption, and Denmark CFCS mandates. Benchmarks focus on adoption rates, compliance enforcement levels, and time lag estimates.

  6. Reproducibility: Code and the domain-RUT mapping catalogue are released as open-source under Apache 2.0 (anci-oiv-resolver npm package), enabling independent audit and replication studies. Raw operator identifiers and detailed evidence chains are withheld pending coordinated disclosure commitments.

Example end-to-end: For a given OIV domain, the crawler attempts to fetch /.well-known/security.txt; if no file is found or if it lacks a valid Contact: field, a secondary scan attempts to locate typical security email addresses on the main website (e.g., security@domain). DNS records are queried for SPF/DKIM/DMARC configuration status. Shodan API is queried for publicly exposed server banners to identify software versions. Observed version strings are matched against National Vulnerability Database critical / end-of-life criteria to flag potentially exploitable stacks. Results are validated and only persisted if criteria are met with confidence. This process is repeated for all 915 OIVs, resulting in universe-scale coverage statistics and sector breakdowns.

Technical innovations

  • Formulation of the Coverage Gap as a quantifiable, three-layer metric capturing observable disclosure capability at a national critical-infrastructure scale.
  • Passive OSINT methodology fully compliant with Chilean cybercrime law and ISO/IEC 29147 transparency principles to enable lawful, large-scale disclosure capability measurement.
  • Release of the anci-oiv-resolver open-source catalogue tool mapping Chilean OIV tax IDs to public Internet domains, enabling universe-scale, replicable infrastructure audits.
  • Cross-jurisdictional benchmarking framework linking technical adoption metrics to regulatory timelines and observable compliance outcomes across US, EU, UK, Netherlands, Denmark and Chile.

Datasets

  • Chile OIV Universe — 915 designated Operators of Vital Importance — official Chilean National Cybersecurity Agency catalogue
  • Shodan Subset — 25 OIV entities with publicly observable HTTP banners and software version metadata — sourced via Shodan
  • Cross-jurisdictional Public Compliance Reports — varied sizes — publicly published government cybersecurity reports and directives

Baselines vs proposed

  • US CISA BOD 18-01: DMARC enforcement adoption rose from ~14% at directive issuance to over 99% within approximately 3 years vs Chile OIVs: approx. 16/915 (1.7%) publish any verifiable disclosure channel and 766/915 (84%) misconfigure email authentication.
  • UK NCSC gov.uk DMARC adoption: near-universal levels >99% vs Chile OIVs: estimated 3.5% public attack surface visibility and 2.8% full disclosure coordination.
  • Netherlands NCSC-NL Comply-or-Explain DMARC framework adoption since 2018 with progressive uptake vs Chile OIVs lagging 8 years behind on similar mandates.
  • Danish CFCS public sector DMARC mandate effective within 3–5 years vs Chile OIVs indicating approximately 8-year technology and regulatory gap.

Limitations

  • Layer 2 and Layer 3 metrics are estimated from samples and heuristic methods rather than full-universe censuses, limiting precision and completeness.
  • Passive OSINT methods do not probe internal processes; Layer 3 full disclosure coordination capability is conservatively estimated and may underreport true organizational readiness.
  • Software stack-age findings derived from a small 25-entity Shodan subset with substantial confidence interval width (12%-38%), limiting exact quantification.
  • No active vulnerability testing or direct interaction with OIV systems was performed, so actual exploitation risk or patch status cannot be confirmed.
  • Detailed operator-level findings are withheld and not published with the paper to protect vulnerable entities until remediation occurs.
  • Cross-jurisdictional comparisons rely on publicly available compliance statistics which may differ in reporting methodology and scope, limiting strict comparability.

Open questions / follow-ons

  • How does the Coverage Gap evolve under active regulatory enforcement beyond early-stage mandates in Chile and comparable jurisdictions?
  • What are the operational and organizational factors within OIVs that lead to the substantial Coverage Gap despite legal mandates?
  • How effective would targeted regulatory interventions, modeled on US and UK approaches, be in closing the gap in Latin American contexts?
  • Can real-time monitoring tools or incentives improve disclosure coordination and reduce time-to-remediation for vulnerabilities in regulated critical infrastructure?

Why it matters for bot defense

For bot-defense and CAPTCHA practitioners, this paper highlights the broader issue of cybersecurity operational maturity at the critical-infrastructure layer, showing that even foundational communication channels for vulnerability reporting are missing at scale in Chile. Bot-defense engineers can interpret the Coverage Gap as an indicator of systemic exposure in backend infrastructure that supports critical services where bots and automated attacks also operate. The prevalence of email authentication failures (SPF, DKIM, DMARC) demonstrates an increased risk of phishing, spoofing, and automated abuse, which intersect with CAPTCHA deployment strategies.

Practitioners designing bot-detection or user verification systems in regulated environments should consider the empirical evidence showing how far behind some jurisdictions remain in basic operational security hygiene. This underscores the importance of integrating security best practices and measurable compliance monitoring into bot-defense frameworks. Additionally, the paper’s methodology—passive OSINT scanning combined with registry mapping tools—offers a replicable approach for bot-defenders to audit their own infrastructure or third-party dependencies to identify systemic weaknesses that could be exploited by automated adversaries.

Cite

bibtex
@article{arxiv2606_05594,
  title={ The Coverage Gap: Chile's Cyber Disclosure Framework versus the USA, EU and UK },
  author={ David Mellafe Z },
  journal={arXiv preprint arXiv:2606.05594},
  year={ 2026 },
  url={https://arxiv.org/abs/2606.05594}
}

Read the full paper

Last updated:

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa