EU’s Proposed Vulnerability Disclosure Requirements May Make Matters Worse
First introduced in September 2021, and with an initial proposal published in September 2022, the EU is changing the requirements for companies to disclose cybersecurity vulnerabilities. This would affect all software and hardware producers and is called the EU Cyber Resilience Act (CRA). Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of knowledge of the first exploitation.
This creates a significant issue for companies that rely on both internal vulnerability teams and external security researchers, as it ignores the time it takes to patch a finding. Many vulnerabilities take days, weeks, or sometimes months to be fixed, so releasing the information gives hackers some time to exploit it. This could put numerous companies and consumers at risk, as many vulnerabilities are not disclosed until after a patch has been released.
Due to this, a large number of industry groups - including Google, Eset, Bugcrows, and Trend Micro - authored a joint letter to address these concerns. The letter states: “the proposed extension of vulnerability reporting to ‘unpatched’ vulnerabilities in the Cyber Resilience Act – meaning those to which there is no known fix – will severely harm our collective cybersecurity, rather than enhance it. … the European Parliament and Council [should] remove these obligations, and to instead focus on the reporting of patched vulnerabilities that have been actively exploited and pose a significant cybersecurity risk.” It goes on to further state the risks of such measures: “reporting unpatched vulnerabilities exposes products to further cyberattacks. In addition, accumulating such sensitive data … is a cybersecurity risk in itself and will only attract more malicious actors … Established coordinated vulnerability disclosure standards stipulate that vulnerabilities should only be disclosed where mitigation is available.”
The industry groups have made some suggestions to improve the proposal to be better for both the consumer and the industry:
Government agencies should not be allowed to use or share disclosed vulnerabilities
Only once a patch or mitigation is available, should the vulnerability be reported. They suggested no less than 72 hours lead time to ensure patches are adopted.
Reporting should not be required from those found through proper security research, internal or external.
If the EU does proceed with the proposal, unchanged, it will make zero-day vulnerabilities a lot more common. Such reporting will mean that security will have to be extremely fast and be able to mitigate vulnerabilities despite no patch or fix existing. Because of that, proactive security testing will need to take into account potential breaches. If you are concerned, contact us to see how Glassportal will be able to help you: demo@glassportal.io
