The Coverage Gap: Chile's Cyber Disclosure Framework versus the USA, EU and UK
arXiv SecurityArchived Jun 05, 2026✓ Full text saved
arXiv:2606.05594v1 Announce Type: new Abstract: We introduce the Coverage Gap as a measurable distance between the observable public exposure of critical-infrastructure operators and their declared capability to coordinate vulnerability disclosure. We instantiate it against the 915 Chilean Operadores de Importancia Vital (OIVs -- Operators of Vital Importance) designated by the National Cybersecurity Agency (ANCI) under Ley 21.663 (Resolucion Exenta No. 87, 16 December 2025). Using a passive-onl
Full text archived locally
✦ AI Summary· Claude Sonnet
Computer Science > Cryptography and Security
[Submitted on 4 Jun 2026]
The Coverage Gap: Chile's Cyber Disclosure Framework versus the USA, EU and UK
David Mellafe Z
We introduce the Coverage Gap as a measurable distance between the observable public exposure of critical-infrastructure operators and their declared capability to coordinate vulnerability disclosure. We instantiate it against the 915 Chilean Operadores de Importancia Vital (OIVs -- Operators of Vital Importance) designated by the National Cybersecurity Agency (ANCI) under Ley 21.663 (Resolucion Exenta No. 87, 16 December 2025). Using a passive-only, OSINT-based method consistent with the principles of ISO/IEC 29147:2018 and Chile's computer-crimes safe harbour (Ley 21.459), we conduct a full-universe census of the foundational disclosure-capability layer (Layer 1, verifiable disclosure contact) across approximately 98.7% of the official catalogue. Only 16 of 915 OIVs (1.7%) publish a verifiable RFC 9116 disclosure channel; among operators of physical-world infrastructure -- energy, health, banking, telecommunications, fuel, water, transport, and state administration -- fewer than ten do so, and all four major banks and both telecommunications incumbents lack one entirely. This compares with over 99% adherence in the U.S. federal civilian branch under CISA Binding Operational Directive 18-01. Email-authentication misconfiguration affects 766 of 915 (84%) OIVs, and end-of-life or known-vulnerable stack components an estimated 23.5% (Wilson 95% CI [12%, 38%]). Cross-jurisdictional benchmarking situates Chile roughly eight years behind the USA, the UK, and the Netherlands on email-authentication mandates, and three years behind Denmark. We propose a four-stage roadmap modelled on BOD 18-01 and the UK Public-Sector DMARC Toolkit, and release the open-source tool anci-oiv-resolver (Apache 2.0) to enable independent reproduction of the OIV-domain mapping that underpins universe-scale auditing.
Comments: 11 pages, IEEEtran conference format, 1 figure. Companion open-access release: doi:https://doi.org/10.5281/zenodo.20501960. Open-source tool: anci-oiv-resolver (Apache-2.0)
Subjects: Cryptography and Security (cs.CR)
ACM classes: K.6.5; K.4.1
Cite as: arXiv:2606.05594 [cs.CR]
(or arXiv:2606.05594v1 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2606.05594
Focus to learn more
Submission history
From: David Mellafe Zuvic [view email]
[v1] Thu, 4 Jun 2026 02:17:27 UTC (28 KB)
Access Paper:
HTML (experimental)
view license
Current browse context:
cs.CR
< prev | next >
new | recent | 2026-06
Change to browse by:
cs
References & Citations
NASA ADS
Google Scholar
Semantic Scholar
Export BibTeX Citation
Bookmark
Bibliographic Tools
Bibliographic and Citation Tools
Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
Connected Papers Toggle
Connected Papers (What is Connected Papers?)
Litmaps Toggle
Litmaps (What is Litmaps?)
scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
Code, Data, Media
Demos
Related Papers
About arXivLabs
Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)