Expert Comment: Concerns about the proposed vulnerability disclosure requirements of the EU’s Cyber Resilience Act (CRA)
October 2023 by Sylvain Cortes, Hackuity VP Strategy & 17x Microsoft MVP
This week, multiple cybersecurity experts have raised concerns about the proposed vulnerability disclosure requirements of the EU’s Cyber Resilience Act (CRA), to the point that an open letter signed by representatives from a wide range of organisations claimed that the vulnerability disclosure provisions are counterproductive and will create new threats.
Sylvain Cortes, 17x Microsoft MVP and VP Strategy at Hackuity says “The proposed vulnerability disclosure requirements by the EU’s Cyber Resilience Act (CRA) are, as the open letter points out, very concerning. The CRA would require software publishers to share known vulnerabilities within 24 hours of exploitation. For this to be possible, a huge database for multiple government agencies would need to be created, which would naturally carry a huge risk in itself.
Responsible vulnerability disclosure is, of course, essential, but this repository could also create an attractive target for criminals to target.
European law makers must take into account that risk-based prioritisation of vulnerabilities is the safest and most effective approach to vulnerability disclosure.
Whilst an always-on, global view of vulnerabilities and their exploitation is mission-critical for organisations, lawmakers must avoid creating a risky mountain out of a molehill."