Cyber experts urge EU to rethink vulnerability disclosure plans

Dozens of cyber security experts are urging the European Union (EU) to reconsider the “counterproductive” vulnerability disclosure requirements in its proposed Cyber Resilience Act (CRA), which they say opens the door to misuse by both threat actors and intelligence agencies.

Introduced in September 2022 by the European Commission (EC), the act builds on the EU’s cyber security Strategy and Security Union Strategy, and is intended to improve the security of all connected digital devices and the software they run for consumers across the bloc.

It imposes mandatory cyber security requirements and obligations on manufacturers by obliging them to provide ongoing security support and software patches, and to provide sufficient information to consumers about the security of their products.

On vulnerability disclosures specifically, Article 11 of the CRA states that software manufactures must notify the European Union Agency for cyber security (ENISA) of any vulnerabilities within 24 hours of their exploitation.

In an open letter to various EU officials – including Nicola Danti, the rapporteur for the CRA in the European Parliament; Thierry Breton, commissioner for internal market at the EC; and Carme Artigas Burga, Spain’s state secretary for digitalisation and artificial intelligence – dozens of cyber security experts from a range of public and private sector organisations said the CRA’s disclosure provisions will create new threats that undermine the security of digital products and the individuals who use them.

“[Article 11] means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors,” they wrote, adding there are several risks associated with rushing the disclosure process and widely disseminating information about unmitigated vulnerabilities.

This includes the potential for misuse by European governments, an increased risk of vulnerabilities being disclosed to malicious threat actors, and its potentially chilling effect on good faith security research.

“Government access to a wide range of unmitigated software vulnerabilities could be misused for intelligence or surveillance purposes. The absence of restrictions on offensive uses of vulnerabilities disclosed through the CRA and the absence of transparent oversight mechanism in almost all EU member states open the doors to potential misuse,” they wrote.

“Breaches and the subsequent misuse of government-held vulnerabilities are not a theoretical threat, but have happened at some of the best protected entities in the world. While the CRA does not require a full technical assessment to be disclosed, even the knowledge of a vulnerability’s existence is sufficient for a skilful person to reconstruct it.”

On how it affects security research, the cyber security experts added the disclosure measures may interfere with collaboration between software publishers and security researchers, who need time to verify, test and patch vulnerabilities before making them public knowledge.

“As a result, the CRA may reduce the receptivity of manufacturers to vulnerability disclosures from security researchers, and may discourage researchers from reporting vulnerabilities, if each disclosure triggers a wave of government notifications,” they wrote.

“While the intention behind disclosing vulnerabilities promptly may be to facilitate mitigation, CRA already requires software publishers to mitigate vulnerabilities without delay in a separate provision. We support this obligation, but also advocate for a responsible and coordinated disclosure process that balances the need for transparency with the need for security.”

As an alternative, the experts recommend adopting a “risk-based approach” that considers the severity of the vulnerability, the availability of mitigations, the potential impact on end users, and the likelihood of its broader exploitation.

As such, they have also recommended either completely removing the Article 11 provisions, or at least revising them to protect against the threats they outlined.

The additional revisions suggested include explicitly prohibiting government agencies from using or sharing disclosed vulnerabilities for intelligence or surveillance purposes; changing the reporting requirements to only include mitigatable vulnerabilities within 72 hours of a patch; and to completely exclude reporting of vulnerabilities identified through good faith security research.

“In contrast to malicious exploitation of a vulnerability, good faith security research does not pose a security threat,” they wrote, adding that ISO/IEC 29147 should be reference in the CRA and used as a baseline for all EU vulnerability reporting.

Alex Rice, co-founder and chief technology officer at HackerOne, added that while the intentions of the legislation are good, the proposed disclosure requirements directly conflict with established best practice in the area.

“Reporting highly sensitive data into only a handful of EU government agencies creates a strong incentive for bad actors to breach those hubs and acquire vulnerabilities to attack susceptible organisations – among a whole host of other risks. An increased risk of breach for organisations will also significantly complicate managing reports from the security researcher community, making organisations less receptive to good-faith security research,” he said.

“Everyone suffers when these vulnerabilities are prematurely reported. Parliament should revise the CRA only to require disclosure once vulnerabilities are patched.”

In June 2023, the European Digital Rights Group (EDRi) and 10 other civil society groups wrote a similar open letter raising concerns about the disclosure of unmitigated vulnerabilities.

“Such recently exploited vulnerabilities are unlikely to be mitigated within such a short time, leading to real-time databases of software with unmitigated vulnerabilities in the possession of potentially dozens of government agencies,” they wrote at the time.

“The more this kind of information is spread, the more likely it is to be misused for state intelligence or offensive purposes, or to be inadvertently exposed to adversaries before a mitigation is in place. In addition, laws that require disclosure of unmitigated vulnerabilities to government agencies create an international precedent that may be reflected by other countries.”