Cyber Resilience Act: cyber experts opposed to vulnerability disclosures
![Image Michel Van Den Berghe takes stock of [Campus Cyber’s] first two years](https://incyber.org//wp-content/uploads/2024/04/incyber-news-cybersecurite-cybersecurity-place-architecture-2024-885x690.jpg)
European bill will require software publishers to disclose any uncovered vulnerability to government agencies.
Around fifty cybersecurity experts have asked European authorities to review the vulnerability disclosure requirement of the Cyber Resilience Act (CRA), in an open letter published on October 3, 2023. The petitioners are demanding the removal, or at least serious revision, of the European bill’s Article 11, which is currently under discussion.
Indeed, the article requires software publishers to disclose their unpatched vulnerabilities to European governing bodies within 24 hours of their discovery. “This means dozens of government agencies would have access, in real time, to a database of software programs that have yet to be patched,” reads the letter.
According to cyber experts, rushing the disclosure process in such a way entails three major risks:
- EU governments exploiting the vulnerabilities for intelligence or espionage purposes;
- threat actors attempting to steal the unpatched vulnerability databases;
- a disruption of the partnership between researchers who track vulnerabilities and software publishers.
Moreover, the petitioners highlight that “the CRA already requires software publishers to mitigate vulnerabilities without delay (…). We support this requirement, but call for a responsible and coordinated disclosure process, which balances the need for transparency and the need for security.”