HomeWinBuzzer NewsCybersecurity Experts: EU Cyber Resilience Act's Vulnerability Disclosure Policy Paves Way for...

Cybersecurity Experts: EU Cyber Resilience Act’s Vulnerability Disclosure Policy Paves Way for New Threats

Cybersecurity experts globally have penned an open letter advocating for a risk-based approach to vulnerability disclosure, emphasizing severity, potential impact, and mitigation strategies.


A legion of professionals from worldwide institutions including , the Electronic Frontier Foundation, the CyberPeace Institute, ESET, Rapid7, Bugcrowd, and Trend Micro, recently wrote an open letter expressing concerns over the proposed vulnerability disclosure policy of the European Union's Cyber Resilience Act (CRA). The open letter, addressed to the key influencers in the crafting of the CRA, warns of the policy paving a path for new threats that would compromise the security integrity of digital products and their individual users.

Problematic Aspects and Impending Threat of CRA's Provisions

The CRA was initiated by Ursula von der Leyen, president of the European Commission, aiming to strengthen cybersecurity requisites for digital products, thereby protecting consumers and businesses from insufficient security features. However, the experts in their letter argue that the current rules regarding vulnerability disclosure might backfire, creating security holes.

They specifically target the provisions of Article 11, which mandates software publishers to disclose unpatched vulnerabilities to government agencies within a 24-hour window post exploitation. This requirement effectively constructs a government-held database of software with unmediated vulnerabilities; a tempting lure for potential malicious actors.

“Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors. There are several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities.”

In addition to misuse concerns, the experts also worry about the exposure of disclosed vulnerabilities to detrimental entities, hindrance to essential security research, and potential negative impact on the coordination between software publishers and security researchers. The absence of strict regulations on the offensive usage of disclosed vulnerabilities and transparent oversight mechanisms only amplify the risks, the letter mentions.

To combat the identified drawbacks, the open letter endorses adopting a risk-based approach to vulnerability disclosure. This involves taking into account factors such as the severity and potential impact of vulnerabilities, and availability of mitigation strategies.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News