Vulnerability handling plays a crucial role in maintaining the security and integrity of digital products. By identifying security weaknesses, it allows manufacturers to fix them quickly and effectively.
However, the proposed extension of vulnerability reporting to ‘unpatched’ vulnerabilities in the Cyber Resilience Act – meaning those to which there is no known fix – will severely harm our collective cybersecurity, rather than enhance it.
ESMIG, alongside a diverse coalition of national, European and international associations active across different sectors, asks the European Parliament and Council to remove these obligations, and to instead focus on the reporting of patched vulnerabilities that have been actively exploited and pose a significant cybersecurity risk. As with ‘cyber threats’ under the NIS2 Directive, manufacturers should, where appropriate, communicate to potentially affected users, especially in a business-to-business context, any measures or remedies they can take in response to a significant vulnerability.
In contrast, reporting unpatched vulnerabilities exposes products to further cyberattacks. In addition, accumulating such sensitive data, be it with ENISA or national authorities, is a cybersecurity risk in itself and will only attract more malicious actors from around the world. For this reason, no other likeminded country has adopted such measures. Established coordinated vulnerability disclosure standards stipulate that vulnerabilities should only be disclosed where mitigation is available.
All signatories are ready to cooperate with the European Parliament and the Council to offer insights and perspectives on the matter, as well as on other ongoing discussions on other articles, to ensure vulnerabilities continue to be handled responsibly to further Europe’s cyber protection.