21 Jun 2023

Oversharing is not caring, it is a cyber risk: joint statement raising concerns on unpatched vulnerability reporting in the Cyber Resilience Act

Vulnerability handling plays a crucial role in maintaining the security and integrity of digital products. By identifying security weaknesses, it allows manufacturers to fix them quickly and effectively. 

However, the proposed extension of vulnerability reporting to ‘unpatched’ vulnerabilities in the Cyber Resilience Act – meaning those to which there is no known fix – will severely harm our collective cybersecurity, rather than enhance it.

We – a diverse coalition of national, European and international associations active across different sectors – ask the European Parliament and Council to remove these obligations, and to instead focus on the reporting of patched vulnerabilities that have been actively exploited and pose a significant cybersecurity risk. As with ‘cyber threats’ under the NIS2 Directive, manufacturers should, where appropriate, communicate to potentially affected users, especially in a business-to-business context, any measures or remedies they can take in response to a significant vulnerability.

In contrast, reporting unpatched vulnerabilities exposes products to further cyberattacks. In addition, accumulating such sensitive data, be it with ENISA or national authorities, is a cybersecurity risk in itself and will only attract more malicious actors from around the world. For this reason, no other likeminded country has adopted such measures. Established coordinated vulnerability disclosure standards stipulate that vulnerabilities should only be disclosed where mitigation is available.

All signatories are ready to cooperate with the European Parliament and the Council to offer insights and perspectives on the matter, as well as on other ongoing discussions on other articles, to ensure vulnerabilities continue to be handled responsibly to further Europe’s cyber protection.

Download the full statement:

List of signatories:

For further information, please contact
Alberto Di Felice
Policy and Legal Counsel
20 Nov 2024 Policy Paper
Legitimate interest: One of six legal bases to process personal data
20 Nov 2024 Policy Paper
Copyright and AI: For effective implementation of existing rules
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept