[AFRINIC-Announce] Important Notice: Clarification Regarding Alleged Exposure of Designated Voter Documents

[AFRINIC Communication]

Dear Colleagues,

We are writing to clarify a recent report which inaccurately claims the discovery of a vulnerability in AFRINIC’s Designated Voter Nomination platform.

The report in question references two document links as evidence of a supposed flaw. However, these links were associated with a test nomination created internally by AFRINIC staff. They were not publicly accessible through the platform, nor were they exposed due to any system vulnerability. Rather, they appear to have been shared by someone with legitimate access.

Our Nomination Platform Remains Secure
We want to reassure the community that the platform remains secure and that no real member data has been compromised. We remain fully committed to a fair, trusted, and transparent election process.

Our immediate internal investigation confirms:
    • The documents referenced were part of a controlled test nomination submitted during platform testing.
    • Access to these links was limited to the Registered Contacts of the organisation involved in the test, and AFRINIC staff directly supporting the election process.
    • No actual member data was leaked or made accessible to unauthorised individuals.

Why This Is Not a Vulnerability
    • Each document link contains a unique 39-character (312-bit) ID generated randomly.
    • These links cannot be guessed or enumerated through any automated or manual means.
    • The file storage directory does not permit listing or browsing.
    • The only plausible way for such a link to become public is through intentional sharing by someone who received it.

Our findings strongly suggest that one or more recipients of the nomination emails shared these links externally, in violation of 
AFRINIC's data confidentiality policies.

Our Priority is Ensuring Election Integrity
The integrity of this election process and the protection of member data remain paramount. AFRINIC’s 2025 Election Committee further wishes to reaffirm our commitment to ensuring transparent handling of any incidents, confidentiality among AFRINIC personnel and committees, and ensuring the highest standards of trust, fairness, and legal compliance.

AFRINIC has taken the following steps in response:
    • Audited access logs for all nomination submission emails and document retrievals.
    • Launched a formal internal investigation to determine the source of the leak. Appropriate disciplinary or legal action will follow based on the outcome.
    • Launched an additional security review of the election platform and related workflows to ensure confidentiality and appropriate access restrictions.

If you have any questions or concerns, please reach out to ecom2025 at afrinic.net <mailto:ecom2025 at afrinic.net>.

Sincerely,
AFRINIC 2025 Election Committee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/announce/attachments/20250804/700f7441/attachment.html>