Cryptographic Framework and Back-end Security Evaluation Dutch COVID-19 Notification App

Radically Open Security has been contracted by the Ministry of Health, Welfare and Sport (Ministerie van Volksgezondheid, Welzijn en Sport) to peer-review the Dutch cryptographic framework and perform a code review on the CoronaMelder back-end code. Both reviews were time-boxed. This report contains our analysis as well as detailed explanations of any findings discovered.