We introduce the Coverage Gap as a measurable distance between the public exposure of critical-infrastructure operators and their declared capability to coordinate vulnerability disclosure. We instantiate it against the 915 Chilean Operadores de Importancia Vital (OIVs) designated by the National Cybersecurity Agency (ANCI) under Ley 21.663 (Resolucion Exenta No. 87, 2025). Using a passive-only, OSINT-based method consistent with ISO/IEC 29147:2018 and Chile's computer-crimes safe harbour (Ley 21.459), we census the foundational disclosure-capability layer (Layer 1: a verifiable disclosure contact). Only 16 of 915 OIVs (1.7%) publish a verifiable RFC 9116 disclosure channel; all four major banks and both telecommunications incumbents lack one entirely. This compares with over 99% adherence under CISA Binding Operational Directive 20-01 (the U.S. federal Vulnerability Disclosure Policy directive; the email-authentication mandate is the separate BOD 18-01). On the secondary email-authentication axis, Chilean OIVs are comparatively strong: DMARC enforcement (quarantine or reject) is present for 146 of 915 designations (16.0%) -- equivalently 16.6% of the 882 measurable domains -- with any-DMARC at 28.0%, above the ~11% top-1M baseline of Tatang et al. (RAID 2021). End-of-life or known-vulnerable components affect an estimated 23.5% (Wilson 95% CI [12-38%]). We propose a four-stage remediation roadmap and release the open-source tool anci-oiv-resolver v0.6.0 (Apache 2.0) for independent reproduction of the OIV-domain mapping. This is a corrected version 2; the email-authentication re-anchor and benchmark-label fix are documented in the 'Changes in v2' note.
翻译:我们定义了“覆盖缺口”这一概念,用以衡量关键基础设施运营商的公开暴露程度与其宣称的协调漏洞披露能力之间的可量化距离。我们以智利国家网络安全局(ANCI)依据第21.663号法律(第87号豁免决议,2025年)指定的915家“生命攸关运营商”(OIV)为实例进行验证。采用仅基于被动OSINT的方法(符合ISO/IEC 29147:2018标准和智利计算机犯罪安全港规定第21.459号法律),我们对基础披露能力层(第一层:可验证的披露联系渠道)进行了普查。结果显示,915家OIV中仅有16家(1.7%)发布了符合RFC 9116标准的可验证披露渠道;所有四大主要银行及两家电信运营商均完全缺失该渠道。相比之下,美国CISA有约束力操作指令20-01(美国联邦漏洞披露政策指令;电子邮件身份验证强制要求为单独的BOD 18-01)下的合规率超过99%。在次要的电子邮件身份验证维度上,智利OIV表现相对较强:DMARC强制策略(隔离或拒绝)在915家指定机构中的146家(16.0%)得到实施——相当于882个可测量域名中的16.6%;任意DMARC部署率为28.0%,高于Tatang等人(RAID 2021)研究报告中约11%的前100万域名基线水平。预计23.5%的运营组件存在生命周期终止或已知漏洞问题(Wilson 95%置信区间[12-38%])。我们提出了一个四阶段补救路线图,并发布了开源工具anci-oiv-resolver v0.6.0(Apache 2.0许可),用于独立复现OIV域名映射。本文为修正后的第2版,电子邮件身份验证基准调整和基准标签修正已在“版本2更新说明”中记录。