Dozens of global cybersecurity experts have raised concerns about the proposed vulnerability disclosure requirements of the EU’s Cyber Resilience Act (CRA). An open letter signed by representatives from a wide range of organizations including Google, the Electronic Frontier Foundation, the CyberPeace Institute, ESET, Rapid7, Bugcrowd, and Trend Micro claimed that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them.
The letter was addressed to Thierry Breton, commissioner for internal market, European Commission; Carme Artigas Burga, state secretary for digitalization and artificial intelligence, Ministry of Economic Affairs and Digital Transformation, Spain; and Nicola Danti, rapporteur for CRA, European Parliament.
The EU CRA aims to set out new cybersecurity requirements for products with digital elements, bolstering cybersecurity rules for hardware and software to protect consumers and businesses from inadequate security features. It was first put forward by Ursula von der Leyen, president of the European Commission, in September 2021, with an initial proposal published in September 2022. It is currently being crafted by EU co-legislators.
In July, several IT and tech industry groups issued a list of recommendations for improving the EU CRA. The associations urged the co-legislators not to prioritize speed over quality in finalizing their positions to avoid unintended outcomes, citing problematic aspects that need to be addressed in the current proposal.
Unpatched vulnerabilities must be disclosed within 24 hours of exploitation
Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors, the letter read. “There are several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities,” it added.
Risks include misuse, exposure to malicious actors, hampering of research
The risks posed by the current vulnerability disclosure proposals include misuse for intelligence and surveillance, exposure to malicious actors, and negative effects on good-faith security research, according to the letter.
“The absence of restrictions on offensive uses of vulnerabilities disclosed through the CRA and the absence of transparent oversight mechanism in almost all EU Member States open the doors to potential misuse,” it read. Breaches and the subsequent misuse of government-held vulnerabilities are not a theoretical threat, occurring at some of the best-protected entities in the world, the letter pointed out. “While the CRA does not require a full technical assessment to be disclosed, even the knowledge of a vulnerability’s existence is sufficient for a skillful person to reconstruct it.”
Prematurely disclosed vulnerabilities could interfere with the coordination and collaboration between software publishers and security researchers too, impacting their ability to verify, test, and patch vulnerabilities before making them public, the letter continued. “The CRA may reduce the receptivity of manufacturers to vulnerability disclosures from security researchers, and may discourage researchers from reporting vulnerabilities, if each disclosure triggers a wave of government notifications.”
EU urged to adopt risk-based approach to vulnerability disclosure
The letter recommended that the CRA adopt a risk-based approach to vulnerability disclosure, considering factors such as the severity of vulnerabilities, the availability of mitigations, the potential impact on users, and the likelihood of broader exploitation. It stated that Article 11, paragraph 1, should either be removed in its entirety or revised as follows:
- Agencies should explicitly be prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance, or offensive purposes.
- Only the reporting of mitigatable vulnerabilities should be required within 72 hours of effective mitigations (e.g., a patch) becoming publicly available. Details could include the initial discovery date by the manufacturer.
- The CRA should not require reporting of vulnerabilities that are exploited through good-faith security research.
- ISO/IEC 29147 should be referenced in Article 11-1 and used as the baseline for all EU vulnerability reporting.