The EU’s Cyber Resilience Act is still in an extended revision period, but the vulnerability disclosure terms that lawmakers have settled on have drawn serious criticism from privacy and digital rights groups.
The bill would require that the government be notified of vulnerabilities within 24 hours of discovery, before any serious mitigation action could be taken. In addition to creating added security risk, groups like the EFF believe that open source development and bug hunting would see serious negative impact.
Open source groups: Vulnerability disclosure terms would upend development, be a net negative for security
The government’s presumed desire for almost instant vulnerability disclosure would be to issue warnings, something that could be very detrimental overall if the vulnerability has not yet been patched or had solid mitigation measures developed for it. A public warning for an unpatched vulnerability would essentially act as a beacon for attacks, creating even more of a dire scenario for organizations all over the world scrambling to mitigate.
Public safety is not the only basis upon which advocates oppose the Cyber Resilience Act terms, however. Individual open source developers might be held responsible under the new rules if they are funded in any way associated with the project, such as working as an employee for an open source foundation. That could cause droves of people to leave open source development due to the risk. And the new vulnerability disclosure rules would also likely cause companies to clip their bug reporting programs.
The current wording of the Cyber Resilience Act is not fully developed as regards open source. It all hinges on exactly how “commercial activity” is defined, something lawmakers are likely to return to as the process moves forward. But while that might address some open source development issues, it does not head off the vulnerability disclosure concerns. A worst-case scenario might see projects and developers steering away from the EU entirely.
Cyber Resilience Act still has long march to adoption
The overall goal of the Cyber Resilience Act is both noble and necessary: push manufacturers to make smart devices more secure by design, something that has been badly needed in the market since these devices first became available. The vulnerability disclosure terms not only make the cybersecurity community leery about premature public awareness of flaws, but also that EU governments might misuse the database that would be created.
EU government agencies would at minimum have to step up their security, as these hoards of vulnerability disclosures would immediately become a highly valuable target for both advanced state-backed hackers and skilled ransomware gangs. There have been copious reports as of late of Chinese APT groups hiding out in systems for months or years at a time; such a group might already have access to a network that houses Cyber Resilience Act lists.
So what would improve the terms of the Cyber Resilience Act? An open letter signed by the EFF and over a dozen other agencies suggests limiting the required details attached to vulnerability disclosures to ensure that they cannot be reverse engineered, providing a much bigger window for mitigation (up to 90 days) if the vulnerability has not yet been used to cause harm in the wild, and a formal ban on government agencies making use of reported vulnerabilities.