New EU vulnerability disclosure rules deemed an "unnecessary risk"

New vulnerability disclosure requirements in the EU’s Cyber Resilience Act (CRA) could create unnecessary risks for consumers and businesses, security experts have warned.

In an open letter signed by senior figures at more than 50 organizations, experts said that aspects of Article 11 in the CRA are “counterproductive and will create new threats that undermine the security of digital products and the individuals who use them”.

Article 11 of the CRA will require software publishers to disclose unpatched vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours of exploitation. Information on vulnerabilities would then be passed on to various government agencies responsible for member state security. 

The requirement means that software providers will essentially feed known vulnerabilities into a “real-time database” containing information on unpatched flaws to provide agencies with an overview of ongoing or potential security issues. 

This move is part of an effort from EU lawmakers to speed up vulnerability disclosures, ensure greater transparency and accountability, and ultimately protect consumers. 

However, critics of the move argue this places organizations at heightened risk by having a repository of unmitigated vulnerabilities that could be targeted by threat actors. 

The open letter also suggests that the move could prompt a trend of “rushing the disclosure process”, which places greater strain on security practitioners and software providers and could result in botched patches.  

“Dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors,” the letter reads.

“There are several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities.”

The “risk of exposure to malicious actors” is a key concern highlighted in the open letter. 

The potential for breaches and exploitation of vulnerabilities recorded by government agencies aren’t merely a “theoretical threat” and could place organizations in the cross-hairs of threat actors while scrambling to issue patches, the letter adds.

“Breaches and the subsequent misuse of government held vulnerabilities are not a theoretical threat but have happened at some of the best protected entities in the world,” the letter reads.

“While the CRA does not require a full technical assessment to be disclosed, even the knowledge of a vulnerability's existence is sufficient for a skillful person to reconstruct it.”

Alex Rice, co-founder and CTO at HackerOne and a signatory of the open letter said the proposed reporting practices could create a “strong incentive” for threat actors to target specific government agencies. 

“HackerOne is an advocate for vulnerability disclosure, but that disclosure must be done responsibly and cannot open organizations to more cyber security risk,” he said. 

“Reporting highly sensitive data into only a handful of EU government agencies creates a strong incentive for bad actors to breach those hubs and acquire vulnerabilities to attack susceptible organizations — among a whole host of other risks.”

Article 11 “goes against reporting best practices”

Rice acknowledged that reporting obligations are necessary to ensure transparency and improve security, adding that the “intentions of the Cyber Resilience Act are great”. 

However, the proposed requirements “conflict with vulnerability reporting best practices” and as such should be amended. 

The open letter outlined a series of proposed revisions to Article 11 to accommodate factors such as severity of vulnerabilities and the likelihood of exploitation by threat actors.

This includes a recommendation that mandatory reporting requirements should be changed to within 72 hours of “effective mitigation” to prevent the risk of exploitation. 

“We support this obligation, but also advocate for a responsible and coordinated disclosure process that balances the need for transparency with the need for security,” the letter reads.

“We recommend that the CRA adopt a risk-based approach to vulnerability disclosure, taking into account factors such as the severity of the vulnerability, the availability of mitigations, the potential impact on users, and the likelihood of broader exploitation.”

Article 11 could have “chilling effect” on security researchers

Casey Ellis, founder and CTO at BugCrowd and signatory of the open letter, told ITPro that disclosure requirements could have a “chilling effect” on good faith security researchers and white hat hackers. 

The potential impact on security researchers was highlighted in the open letter, which warned that, in its current form, the Act could “prematurely interfere with the coordination and collaboration between software publishers and security researchers”. 

Tight deadlines for disclosure set by the CRA fail to recognize the time required to verify, test, and patch vulnerabilities before revealing them publicly, the letter argued. 

Ellis told ITPro that this aspect of the Act could create “friction” for security researchers and their willingness to engage in activities such as bug hunting. 

In addition, the requirements could complicate managing reports from the researchers community and make organizations less receptive to good-faith security research. 

“We’ve spent the past 10 years basically trying to remove friction and it’s been a struggle, so I think anything that comes in and re-introduces friction is a bad thing.” 

“People that hack in good faith are here to act as the internet’s immune system, and the internet, for the better part, has had an auto-immune deficiency that we’re now climbing out of.”