How EU lawmakers can make mandatory vulnerability disclosure responsible

2023-08-21 04:30

While the CRA doesn't demand companies forward an exploited vulnerability's full technical specifications to ENISA, it does require companies to report on a vulnerability "With details"-and these details could be more than enough to attract the attention of a savvy attacker.

As the CERT Guide to Coordinated Vulnerability Disclosure puts it: "Mere knowledge of a vulnerability's existence in a feature of some product is sufficient for a skillful person to discover it for themselves."

The CRA also risks providing cover to other problematic vulnerability disclosure law, specifically China's Regulations on the Management of Network Product Security Vulnerabilities.

Research studies suggest that these vulnerability disclosures are now being used for intelligence purposes, and that the regulation might have harmed software providers' access to vulnerability information by dissuading ethical hackers from searching for vulnerabilities in the first place.

Consumer protection groups have also expressed alarm at the CRA's vulnerability disclosure requirements and urged EU policymakers to install safeguards against misuse.

Working together, the public and private sector must strive towards policy outcomes that enable vulnerability discovery and disclosure without putting businesses and consumers at needless risk.

News URL

https://www.helpnetsecurity.com/2023/08/21/vulnerability-disclosure/

#disclosure #EU #vulnerability