October 13, 2023 at 03:48PM
The European Union (EU) is considering a rule that would require software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. However, many IT security professionals are concerned about the potential abuse of this rule. They argue that the 24-hour window is too short and could leave organizations vulnerable to attacks. Some proposed alternative approaches include tiered disclosure, preliminary notification, and coordinated vulnerability disclosure. It is important to balance the need for patching vulnerabilities with protecting systems and citizens. The impact of this rule extends beyond the EU and could affect global operations of American corporations.
Key takeaways from the meeting notes:
1. The EU’s Cyber Resilience Act (CRA) includes a rule requiring software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation.
2. Many IT security professionals are concerned about the 24-hour disclosure window, as it may enable adversaries to exploit the vulnerabilities before organizations have time to fix them.
3. There is support for alternative approaches to vulnerability disclosure, including tiered disclosure based on severity, preliminary notification, and coordinated vulnerability disclosure.
4. Any rule on vulnerability disclosure should explicitly prohibit the misuse of disclosed vulnerabilities for surveillance or offensive purposes and ensure limited access to the vulnerability database.
5. Some suggest that a more balanced approach would be for software companies to acknowledge reported vulnerabilities within a specified timeframe and provide a public fix within 90 days.
6. The impacts of the EU’s regulatory decisions on cybersecurity policies extend beyond Europe and can influence global operations, including those of American corporations.
7. U.S. systems using the same software as Europe could also be exposed to risks if vulnerabilities are disclosed hastily due to EU regulations.