A diverse coalition of cyber notables that include top security pros and researchers from ESET, Rapid7, the Electronic Frontier Foundation, and Google’s Vint Cerf, have taken the European Union (EU) to task over requiring software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation.In an open letter to the EU, 56 cybersecurity leaders said the EU’s proposed one-day vulnerability disclosure requirement under the Cyber Resilience Act (CRA) means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities without the ability to protect them.They said it would create a tempting target for malicious actors, who could misuse the database for intelligence, and have a chilling effect on good-faith security researchers.“Disclosing vulnerabilities prematurely may interfere with the coordination and collaboration between software publishers and security researchers, who often need more time to verify, test, and patch vulnerabilities before making them public,” said the open letter.
Industry pros split on Cyber Resilience Act
While many of the security researchers SC Media contacted tended to agree with the open letter, there were some who looked at the CRA news more favorably, albeit for different reasons.“The act is a positive step forward,” said John Gunn, chief executive officer at Token. “The arguments against it are outdated and predicated on two faulty assumptions: that cyber criminals are not already discovering and sharing information about vulnerabilities at an increasing rate, and that organizations are content being exposed to risk without their knowledge or consent when they otherwise could have taken the impacted device or service offline.”Kate Kuehn, chief trust officer at Aon Cyber Solutions, who has been very much involved in regulatory affairs in the United States, said the open letter was a step in the right direction.“I think it’s actually not a concern, I think it’s a good thing,” said Kuehn. “We should see more adoption of this kind of behavior in the U.S. There’s a lot of grumbling going on about our disclosures, but there hasn’t been, to the point of this open letter, what the community wants the standards to be.”To Kuehn’s point, the writers of the open letter outline several specific points they want the EU to reconsider, including:- Agencies should explicitly be prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance, or offensive purposes.
- Require reporting to agencies of mitigatable vulnerabilities only, within 72 hours of effective mitigations (a patch) becoming publicly available. Details could include the initial discovery date by the manufacturer.
- The CRA should not require reporting of vulnerabilities that are exploited through good faith security research. In contrast to malicious exploitation of a vulnerability, good faith security research does not pose a security threat.




