October 3, 2023
Stéphane Duguin, our CEO, among dozens of global cybersecurity experts, has signed a joint letter, raising concerns about the EU’s Cyber Resilience Act (CRA).
The cybersecurity experts, dedicated to improving the security of the online environment, urge EU decision makers to reconsider the vulnerability disclosure requirements under the proposed CRA. While the signatories, representatives from a wide range of organisations, appreciate the CRA’s aim to improve cybersecurity in Europe and beyond, they believe that the current provisions are counterproductive, creating new risks that undermine the security of digital products and the individuals who use them.
The letter draws special attention to Article 11 of the CRA, which requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. The signatories argue that with this procedure, dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment. The letter points out several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities. This database would create a tempting target for malicious actors.
The signatories recommend that the CRA adopts a risk-based approach to vulnerability disclosure, which takes factors into account such as the severity of the vulnerability, the availability of mitigations, the potential impact on users, and the likelihood of broader exploitation.
Tony Anscombe, Chief Security Evangelist, ESET
Jaya Baloo, Chief Security Officer, Rapid7
Christine Bejerasco, Chief Cybersecurity Officer, WithSecure
Dan Berte, Director of IoT Security, Bitdefender
Bill Buddington, Senior Staff Technologist, Electronic Frontier Foundation
Anne-Marie Buzatu, Executive Director, ICT4Peace Foundation
Ed Cabrera, Chief Cybersecurity Officer, Trend Micro
Sergio Caltagirone, President, Threat Intelligence Academy
Vint Cerf, VP and Chief Internet Evangelist, Google
Amy Chang, Senior Fellow, Cybersecurity and Emerging Threats, R Street Institute
Jon Clay, Vice President of Threat Intelligence, Trend Micro
John Costello, Deputy Director and Senior Fellow, Wadhwani Center for AI and Advanced Technologies
Peter Dahlen, Managing Director, AmCham Sweden
Christian Dawson, Executive Director, i2Coalition
Ron Deibert, Professor of Political Science and Director, the Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy
Stephane Duguin, Chief Executive Officer, CyberPeace Institute
Casey Ellis, Founder and Chief Technology Officer, Bugcrowd and Co-Founder, Disclose.io Project
Anriette Esterhuysen, Senior Advisor for Internet Governance, Association for Progressive Communications
Eva Galperin, Director of Cybersecurity, Electronic Frontier Foundation
Ram Ganeshanathan, Vice President of Enterprise Security, Arm
Kenneth Geers, Senior Fellow, Atlantic Council and Ambassador for NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)
Brian Gorenc, Vice President of Threat Research, Trend Micro
Bruce Gustafson, President and Chief Executive Officer, Developers Alliance
Robert Huber, Chief Security Officer, Tenable, Inc.
Toomas Hendrik Ilves, Former President of Republic of Estonia
Tom Kellermann, Senior Vice President of Cyber Strategy, Contrast Security
Wolfgang Kleinwächter, Professor Emeritus for Internet Policy and Regulation, University of Aarhus
Mallory Knodel, Chief Technology Officer, Center for Democracy and Technology, member of Internet Architecture Board 4
Olaf Kolkman, Principal, Internet Society and former commissioner of the Global Commission on the Stability of Cyberspace
Dr. Ilia Kolochenko, Chief Architect & Chief Executive Officer, ImmuniWeb
Bostjan Koritnik, Deputy Mayor of the Municipality of Ljubljana, Secretary General of the Association of the Slovenian Lawyers Societies, and former Slovenian Minister for Public Administration
Stephanie Leonard, Head of Government and Regulatory Affairs, TomTom
Ciaran Liam Martin, Professor, Blavatnik School of Government, University of Oxford and former head of the UK National Cyber Security Centre
Paul Meyer, Senior Advisor, ICT4Peace Foundation
Jeff Moss, Founder of Black Hat and DEF CON Conferences, President, DEF CON Communications, Inc.
Katie Moussouris, Founder and Chief Executive Officer, Luta Security and Co-author/Co-editor of ISO 29147 and ISO 30111
Chris Painter, Former US State Department Cyber Coordinator
Bart Preneel, Professor, KU Leuven
Brandon J. Pugh, Director and Senior Fellow for Cybersecurity and Emerging Threats, R Street Institute
Allison Pytlak, Program Lead of the Cyber Program, The Stimson Center
Damir Rajnovic, Cyber Security Manager, Panasonic and former FIRST Board member
Costin Raiu, Independent Researcher; MUTE Group Founding Member and Virus Bulletin Advisory Board Member
Alex Rice, Co-Founder and Chief Technology Officer, HackerOne
Marietje Schaake, Stanford University Cyber Policy Center, Former Member of the European Parliament
Max Smeets, Director of the European Cyber Conflict Research Initiative and a Senior Researcher at the Center for Security Studies (CSS) at ETH Zurich
Rayna Stamboliyska, Chief Executive Officer and Founder, RS Strategy – Mastering Uncertainty
Fook Hwa Tan, Chief Quality Officer, Northwave
Jason Turflinger, Managing Director, AmCham Norway
Kayla Underkoffler, Lead Security Technologist, HackerOne
Kristen Verderame, Vice President of Global Government Relations, NetApp Professor
Johanna Weaver, Director of Tech Policy Design Centre, Australian National University
Bill Woodcock, Executive Director, Packet Clearing House
The letter represents the views of the individuals. The names of organizations are included for identification purposes only.