Additionally, on Novak's PCR test from Dec 16th on the website, the test result "NEGATIVE" had been changed to "POSITIVE" sometime around 14h00 on January 10th. Noticed by several people, including myself (took screenshot even myself before and after).

BTW, apparently my IP address has now been blocked accessing to that website :) I get this message now: "Ваша адреса је блокирана 24 сата! Vaša adresa je blokirana 24 sata! Your address is blocked for 24 hours!"

I just got blocked for 24 hours as well. After opening https://pcr.euprava.gov.rs/validate.php?cqcode=1641591150Q!A... just fine -tried to see what happens when you change the digits to cqcode=1641591151... :)

While I guess in these cases governments don't really worry about enumeration aka https://en.wikipedia.org/wiki/German_tank_problem - it's still often a security risk that means you usually try to avoid it.

Even when internally you have auto-incremental ID - you can provide a non-sequential public ID (e.g. at least use SkipJack/Skip32 of that incremental value).

Rate limiting has been implemented on this validation page from the start to prevent crawling and abuse. And please do not lie about changes on the test! Really bad thing to do right now, not just for Novak, for everyone in his situation.