I live in some EU country and I rely on social security provided by the regional government. There is a website for residents who can sign up and claim benefits without physically visiting an office. While helping a friend sign up, I accidentally discovered critical bugs that could enable anyone visiting the website to run arbitrary code. I documented my findings and sent them via email. I received an automated response that said my email was received but didn't hear any further.
To protect my data I disabled my account and asked all data to be removed from the website. I started walking half an hour to the office and doing everything on paper to receive my benefits. However after months, the exploit seems to have not been fixed yet. I am deeply concerned that a malicious actor could have already accessed the data and made the lives of the most vulnerable of our society even more vulnerable. Since the interface feels more than a decade old which suggests the back-end also is, this is a real possibility. Does GDPR mandate that institutions fix bad code that could compromise security and/or privacy of its users? If not is there any other legislation that I can cite to pressure them to fix their site? If I were outside the EU, what legislation would do the job?
