Introduction
Every year, around December, the eduGAIN CSIRT runs a challenge to assess a critical part of the eduGAIN communication infrastructure: the security contacts of the eduGAIN Participants, where available. The security contacts email addresses have been retrieved from the eduGAIN Database using the APIs published on the technical site. The procedure used to collect the email addresses is available on the GEANT gitlab:
The security contacts are stored in the eduGAIN Database and can be consulted on the Member Federations page:
https://technical.edugain.org/status
Moreover, this year the federation security contact turned into a mandatory requirement for all the eduGAIN Participants. The terms of the security contact are available on the eduGAIN wiki:
eduGAIN Participants Security Contact
Participants
In the eduGAIN Communication Challenge 2025-12, 61 eduGAIN Participants have been challenged:
| AAF |
| AAI-EDUHR |
| AAIEDUMK |
| ACONET |
| AZSCINET |
| BELNET |
| BIF |
| CAF |
| CAFE |
| CARSI |
| COFRE |
| CYNET-IF |
| DFN-AAI |
| EDUGATE |
| EDUID-AFRICA |
| EDUID-CZ |
| EDUID-HU |
| EDUID-NG |
| EDUID-TG |
| EFIS |
| FEBAS |
| FEIDE |
| FENIX |
| FER |
| FIDERN |
| FIEL |
| GAKUNIN |
| GARNETIF |
| GIF |
| GRNET |
| HAKA |
| IDEM |
| INCOMMON |
| IRFED |
| LEAF |
| LITNET-FEDI |
| LK-LIAF |
| MAREN |
| OMREN |
| PIONIER-ID |
| RAFIKI |
| RCTSAAI |
| RIF |
| ROEDUNETID |
| SAFEID |
| SAFIRE |
| SA-MIF |
| SGAF |
| SIF |
| SIFULAN |
| SIR |
| SURFCONEXT |
| SWAMID |
| SWITCHAAI |
| TAAT |
| TERNET-IF |
| THAILDF |
| TIGERFED |
| TUAKIRI |
UK-FEDERATION |
| WAYF |
eduGAIN participants that didn't communicate their security contacts were excluded from the challenge.
Challenge timeline
In order to guarantee equal conditions for each participants independently from their time zone, security contact has been challenged using a randomized timeline on a 24 hours range, so each contact has been challenged at a different time.
- 2025-11-25T11:20:11.283631Z - First challenge sending time.
- 2025-11-26T10:49:11.291460Z - Last challenge sending time.
- 2025-12-02T23:59:59.00 - End of the challenge.
- 2025-12-03 - Public report available (this wiki page).
What was assessed
- That the provided security contact is a well formed email address.
- That the provided email address is not bouncing.
- That the recipients of the security contact are reading the mailbox, follow the link provided, and solve a simple math challenge to confirm that the email address is still valid and a human is handling the messages.
Reaction times — the time elapsed between the sending of the challenge and the submission of the result of the simple math problem --- is measured as well to assess the responsiveness of the security contacts.
Results
Responses
Assuming that all contacted participants received the challenge e-mail and understood what action was expected from them, we had the following results: 59% success rate, in absolute numbers 36 participants out of 61 have reacted within the challenge time frame (7 days). This results are in line with the eduGAIN CommsChallenge2022-12 Results, though slightly worse.
Issues
The number of responses is an all time low for the eduGAIN Communication Challenges, which in the previous editions ranged between 75 and 86%. This might be related to the introduction of the simple math challenge, but it will require further investigation.
Summary
36 participants (59%) have reacted
61 participants have been challenged
35 participants (57%) have reacted within 24 h
Graph
Reaction times
The graph above shows that the all reactions were recorded within 140 hours, with the vast majority within 24 hours. Almost all time zones were covered in this global exercise, and although the time at which each contact has been challenged was random, the reaction times does not differ wildly from last year results. Overall, the reaction time of the respondents are quite good and show that the security contact addresses of the participants are monitored during out-of-office hours.
| Time | Respondents |
|---|---|
| < 4h | 20 |
| < 10h | 29 |
| < 24h | 35 |
Non answering contacts
The following eduGAIN participants did not answer the challenge.
| Federation | Additional response/clarification |
|---|---|
| AAF | |
| BELNET | |
| BIF | |
| CAFE | |
| EDUID-TG | |
| EFIS | |
| FENIX | |
| FIEL | |
| GARNETIF | |
| GIF | |
| GRNET | |
| HAKA | |
| LEAF | |
| LK-LIAF | |
| OMREN | |
| RAFIKI | |
| ROEDUNETID | |
| SAFEID | |
| SA-MIF | |
| SIR | |
| TERNET-IF | |
| THAILDF | |
| TIGERFED | |
UK-FEDERATION | |
| WAYF |
Follow Up
The participants that have not reacted to the challenge will be contacted by the eduGAIN CSIRT to understand what did not work in the current run.