The Coverage Gap: Chile's Cyber Disclosure Framework versus the USA, EU and UK

Abstract

We introduce the Coverage Gap as a measurable distance between the public exposure of critical-infrastructure operators and their declared capability to coordinate vulnerability disclosure. We instantiate it against the 915 Chilean Operadores de Importancia Vital (OIVs) designated by the National Cybersecurity Agency (ANCI) under Ley 21.663 (Resolucion Exenta No. 87, 2025). Using a passive-only, OSINT-based method consistent with ISO/IEC 29147:2018 and Chile's computer-crimes safe harbour (Ley 21.459), we census the foundational disclosure-capability layer (Layer 1: a verifiable disclosure contact). Only 16 of 915 OIVs (1.7%) publish a verifiable RFC 9116 disclosure channel; all four major banks and both telecommunications incumbents lack one entirely. This compares with over 99% adherence under CISA Binding Operational Directive 20-01 (the U.S. federal Vulnerability Disclosure Policy directive; the email-authentication mandate is the separate BOD 18-01). On the secondary email-authentication axis, Chilean OIVs are comparatively strong: DMARC enforcement (quarantine or reject) is present for 146 of 915 designations (16.0%) -- equivalently 16.6% of the 882 measurable domains -- with any-DMARC at 28.0%, above the ~11% top-1M baseline of Tatang et al. (RAID 2021). End-of-life or known-vulnerable components affect an estimated 23.5% (Wilson 95% CI [12-38%]). We propose a four-stage remediation roadmap and release the open-source tool anci-oiv-resolver v0.6.0 (Apache 2.0) for independent reproduction of the OIV-domain mapping. This is a corrected version 2; the email-authentication re-anchor and benchmark-label fix are documented in the 'Changes in v2' note.