Cybersecurity experts raise concerns over EU Cyber Resilience Act’s vulnerability disclosure requirements

Dozens of global cybersecurity experts have raised concerns about the proposed vulnerability disclosure requirements of the EU’s Cyber Resilience Act (CRA). An open letter signed by representatives from a wide range of organizations including Google, the Electronic Frontier Foundation, the CyberPeace Institute, ESET, Rapid7, Bugcrowd, and Trend Micro claimed that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them.

The letter was addressed to Thierry Breton, commissioner for internal market, European Commission; Carme Artigas Burga, state secretary for digitalization and artificial intelligence, Ministry of Economic Affairs and Digital Transformation, Spain; and Nicola Danti, rapporteur for CRA, European Parliament.

The EU CRA aims to set out new cybersecurity requirements for products with digital elements, bolstering cybersecurity rules for hardware and software to protect consumers and businesses from inadequate security features. It was first put forward by Ursula von der Leyen, president of the European Commission, in September 2021, with an initial proposal published in September 2022. It is currently being crafted by EU co-legislators.

In July, several IT and tech industry groups issued a list of recommendations for improving the EU CRA. The associations urged the co-legislators not to prioritize speed over quality in finalizing their positions to avoid unintended outcomes, citing problematic aspects that need to be addressed in the current proposal.

Unpatched vulnerabilities must be disclosed within 24 hours of exploitation

Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors, the letter read. “There are several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities,” it added.

Risks include misuse, exposure to malicious actors, hampering of research

The risks posed by the current vulnerability disclosure proposals include misuse for intelligence and surveillance, exposure to malicious actors, and negative effects on good-faith security research, according to the letter.