EU needs solid vulnerability disclosure rules

Marietje

The Center for European Policy Studies Task Force on Software Vulnerabilities in Europe will present a report today that calls for an EU strategy on soft- and hardware vulnerabilities disclosure. It maps for the first time how European countries are dealing with vulnerabilities disclosure now. The report offers practical recommendations on how to improve the coordination and disclosure of software vulnerabilities by both private-sector and public actors.  

MEP Marietje Schaake (ALDE), the Chair of the task force: “Disclosing vulnerabilities to software and hardware vendors and manufacturers is crucial to protect our digital society. If we do not seriously address this issue in EU cybersecurity policies, we are acting as if only simply rearranging the deck chairs on the Titanic.”  

EU approach needed  

Schaake: “This report demonstrates that there is a lot of work to be done to create a common, European approach towards vulnerability disclosure. Thirteen states are currently contemplating to set-up a coordinated vulnerability disclosure process in the EU. ENISA can play a role in ensuring that we do not end up with widely diverging policies. In the long run, we also need to agree on a single interpretation of what constitutes hacking, or illegal access to a computer system, in order to avoid a chilling effect on vulnerability research. A Dutch researcher who finds a vulnerability in Spanish software should not be treated differently from a Spaniard who reveals a weak spot in Dutch software.”  

Schaake has proposed amendments to the EU Cybersecurity Act which would give ENISA a mandate to help countries in crafting coordinated vulnerability disclosure policies.

Earlier Schaake organised a hearing with experts from Airbus, Mozilla, Access Now and the former Obama administration.