Cybersecurity experts raise concerns over vulnerability disclosure requirements in EU’s Cyber Resilience Act

Cybersecurity experts have urged EU policymakers to reconsider vulnerability disclosure requirements in the proposed Cyber Resilience Act, expressing concerns that mandatory disclosures could have unintended security consequences for digital products and discourage vital cybersecurity research.

 Person, Security, Adult, Male, Man

Cybersecurity experts have sent a letter to EU policymakers, urging a reconsideration of a crucial component within the proposed Cyber Resilience Act (CRA) – the vulnerability disclosure requirements. This appeal, conveyed through an open letter published on October 3rd, calls attention to the potential consequences of this provision.

The European Commission introduced the CRA in September 2022 with the aim of implementing cybersecurity regulations across the EU, encompassing mandatory security updates and protocols for handling vulnerabilities in digital products designed to collect and exchange data.

A central aspect of the Act requires organizations to promptly report software vulnerabilities to government agencies within 24 hours of their discovery. However, the experts contend that these mandatory disclosures might inadvertently jeopardize the security of digital products and the individuals who rely on them.

Ciaran Martin, one of the signatories and a professor, as well as the former head of the UK National Cyber Security Centre, emphasized that while the CRA represents a positive step towards bolstering European cybersecurity, specific aspects, such as the mandated vulnerability disclosures, warrant careful reconsideration.

This open letter, directed to key policymakers including Thierry Breton, the Commissioner for Internal Market, Carme Artigas Brugal, the Spanish Secretary of State for Digitization and AI, and Nicola Danti, the Parliament’s CRA rapporteur, was delivered on Monday.

The vulnerability disclosure requirements stipulated in the CRA compel software manufacturers to disclose “unpatched” vulnerabilities to authorities within 24 hours of discovery. However, experts argue that this approach may have unintended consequences, as it overlooks the intricate process of addressing vulnerabilities effectively.

Katie Moussouris, CEO and Founder of Luta Security, pointed out that governments may not possess the expertise to create fixes for vulnerabilities, and mandating organizations to report vulnerabilities prematurely could hinder the coordination necessary for a secure resolution.

Moreover, concerns include the potential misuse of databases for surveillance and a chilling effect on cybersecurity research, as researchers might be discouraged from reporting vulnerabilities. To address these issues, the experts recommend adopting a risk-based approach to vulnerability disclosure, considering factors such as severity, available mitigations, potential impact on users, and the likelihood of broader exploitation.

These concerns echo those raised earlier by digital rights organizations and cyber industry players, who warned of the risks associated with unpatched vulnerability disclosures, including misuse for state intelligence purposes and exposure to cyberattacks before mitigations are in place.