Coalition Letter Urging Reconsideration of the Vulnerability Disclosure Requirements under the Proposed EU Cyber Resilience Act (CRA)

3rd October 2023

Mr Thierry Breton, Commissioner for Internal Market, European Commission

Ms Carme Artigas Brugal, Secretary of State for Digitisation and Artificial Intelligence, Ministry of Economic Affairs and Digital Transformation, Spain

Mr Nicola Danti, Rapporteur for Cybersecurity Resilience Act, European Parliament

As concerned cybersecurity experts who have dedicated our lives to improving the security of the online environment, we urge you to reconsider the vulnerability disclosure requirements under the proposed EU Cyber Resilience Act (CRA). While we appreciate the CRA’s aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them.

Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors. There are several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities.

Misuse for intelligence and surveillance
Government access to a wide range of unmitigated software vulnerabilities could be misused for intelligence or surveillance purposes. The absence of restrictions on offensive uses of vulnerabilities disclosed through the CRA and the absence of transparent oversight mechanism in almost all EU Member States open the doors to potential misuse.

Risk of exposure to malicious actors
Breaches and the subsequent misuse of government held vulnerabilities are not a theoretical threat but have happened at some of the best protected entities in the world. While the CRA does not require a full technical assessment to be disclosed, even the knowledge of a vulnerability’s existence is sufficient for a skillful person to reconstruct it.

Chilling effect on good faith researchers
Disclosing vulnerabilities prematurely may interfere with the coordination and collaboration between software publishers and security researchers, who often need more time to verify, test, and patch vulnerabilities before making them public. As a result, the CRA may reduce the receptivity of manufacturers to vulnerability disclosures from security researchers, and may discourage researchers from reporting vulnerabilities, if each disclosure triggers a wave of government notifications.

While the intention behind disclosing vulnerabilities promptly may be to facilitate mitigation, CRA already requires software publishers to mitigate vulnerabilities without delay in a separate provision. We support this obligation, but also advocate for a responsible and coordinated disclosure process that balances the need for transparency with the need for security. We recommend that the CRA adopt a risk-based approach to vulnerability disclosure, taking into account factors such as the severity of the vulnerability, the availability of mitigations, the potential impact on users, and the likelihood of broader exploitation. With that in mind and to avoid unintentionally exposing consumers and organizations in Europe and beyond to new cybersecurity risks, we recommend that Article 11, paragraph 1, is either removed in its entirety, or revised as follows:

• Agencies should explicitly be prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance, or offensive purposes.
• Require reporting to agencies of mitigatable vulnerabilities only, within 72 hours of effective mitigations (e.g., a patch) becoming publicly available. Details could include the initial discovery date by the manufacturer.
• The CRA should not require reporting of vulnerabilities that are exploited through good faith security research. In contrast to malicious exploitation of a vulnerability, good faith security research does not pose a security threat.
• Reference ISO/IEC 29147 in Article 11-1 and use it as the baseline for all EU vulnerability reporting.

Read the letter here: