A legion of cybersecurity professionals from worldwide institutions including Google, the Electronic Frontier Foundation, the CyberPeace Institute, ESET, Rapid7, Bugcrowd, and Trend Micro, recently wrote an open letter expressing concerns over the proposed vulnerability disclosure policy of the European Union's Cyber Resilience Act (CRA). The open letter, addressed to the key influencers in the crafting of the CRA, warns of the policy paving a path for new threats that would compromise the security integrity of digital products and their individual users.
Problematic Aspects and Impending Threat of CRA's Provisions
The CRA was initiated by Ursula von der Leyen, president of the European Commission, aiming to strengthen cybersecurity requisites for digital products, thereby protecting consumers and businesses from insufficient security features. However, the experts in their letter argue that the current rules regarding vulnerability disclosure might backfire, creating security holes.
They specifically target the provisions of Article 11, which mandates software publishers to disclose unpatched vulnerabilities to government agencies within a 24-hour window post exploitation. This requirement effectively constructs a government-held database of software with unmediated vulnerabilities; a tempting lure for potential malicious actors.
“Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors. There are several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities.”
In addition to misuse concerns, the experts also worry about the exposure of disclosed vulnerabilities to detrimental entities, hindrance to essential security research, and potential negative impact on the coordination between software publishers and security researchers. The absence of strict regulations on the offensive usage of disclosed vulnerabilities and transparent oversight mechanisms only amplify the risks, the letter mentions.
To combat the identified drawbacks, the open letter endorses adopting a risk-based approach to vulnerability disclosure. This involves taking into account factors such as the severity and potential impact of vulnerabilities, and availability of mitigation strategies.