Joint Letter of Experts on CRA and Vulnerability Disclosure

October 3, 2023

Stéphane Duguin, our CEO, among dozens of global cybersecurity experts, has signed a joint letter, raising concerns about the EU’s Cyber Resilience Act (CRA).

The cybersecurity experts, dedicated to improving the security of the online environment, urge EU decision makers to reconsider the vulnerability disclosure requirements under the proposed CRA. While the signatories, representatives from a wide range of organisations, appreciate the CRA’s aim to improve cybersecurity in Europe and beyond, they believe that the current provisions are counterproductive, creating new risks that undermine the security of digital products and the individuals who use them.

The letter draws special attention to Article 11 of the CRA, which requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. The signatories argue that with this procedure, dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment. The letter points out several risks associated with rushing the disclosure process and having a widespread knowledge of unmitigated vulnerabilities. This database would create a tempting target for malicious actors.

The signatories recommend that the CRA adopts a risk-based approach to vulnerability disclosure, which takes factors into account such as the severity of the vulnerability, the availability of mitigations, the potential impact on users, and the likelihood of broader exploitation.


Tony Anscombe, Chief Security Evangelist, ESET 

Jaya Baloo, Chief Security Officer, Rapid7 

Christine Bejerasco, Chief Cybersecurity Officer, WithSecure 

Dan Berte, Director of IoT Security, Bitdefender 

Bill Buddington, Senior Staff Technologist, Electronic Frontier Foundation 

Anne-Marie Buzatu, Executive Director, ICT4Peace Foundation 

Ed Cabrera, Chief Cybersecurity Officer, Trend Micro 

Sergio Caltagirone, President, Threat Intelligence Academy 

Vint Cerf, VP and Chief Internet Evangelist, Google 

Amy Chang, Senior Fellow, Cybersecurity and Emerging Threats, R Street Institute 

Jon Clay, Vice President of Threat Intelligence, Trend Micro 

John Costello, Deputy Director and Senior Fellow, Wadhwani Center for AI and Advanced Technologies 

Peter Dahlen, Managing Director, AmCham Sweden 

Christian Dawson, Executive Director, i2Coalition 

Ron Deibert, Professor of Political Science and Director, the Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy 

Stephane Duguin, Chief Executive Officer, CyberPeace Institute 

Casey Ellis, Founder and Chief Technology Officer, Bugcrowd and Co-Founder, Project 

Anriette Esterhuysen, Senior Advisor for Internet Governance, Association for Progressive Communications 

Eva Galperin, Director of Cybersecurity, Electronic Frontier Foundation 

Ram Ganeshanathan, Vice President of Enterprise Security, Arm 

Kenneth Geers, Senior Fellow, Atlantic Council and Ambassador for NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) 

Brian Gorenc, Vice President of Threat Research, Trend Micro 

Bruce Gustafson, President and Chief Executive Officer, Developers Alliance 

Robert Huber, Chief Security Officer, Tenable, Inc. 

Toomas Hendrik Ilves, Former President of Republic of Estonia 

Tom Kellermann, Senior Vice President of Cyber Strategy, Contrast Security 

Wolfgang Kleinwächter, Professor Emeritus for Internet Policy and Regulation, University of Aarhus 

Mallory Knodel, Chief Technology Officer, Center for Democracy and Technology, member of Internet Architecture Board 4 

Olaf Kolkman, Principal, Internet Society and former commissioner of the Global Commission on the Stability of Cyberspace 

Dr. Ilia Kolochenko, Chief Architect & Chief Executive Officer, ImmuniWeb 

Bostjan Koritnik, Deputy Mayor of the Municipality of Ljubljana, Secretary General of the Association of the Slovenian Lawyers Societies, and former Slovenian Minister for Public Administration 

Stephanie Leonard, Head of Government and Regulatory Affairs, TomTom 

Ciaran Liam Martin, Professor, Blavatnik School of Government, University of Oxford and former head of the UK National Cyber Security Centre 

Paul Meyer, Senior Advisor, ICT4Peace Foundation 

Jeff Moss, Founder of Black Hat and DEF CON Conferences, President, DEF CON Communications, Inc. 

Katie Moussouris, Founder and Chief Executive Officer, Luta Security and Co-author/Co-editor of ISO 29147 and ISO 30111 

Chris Painter, Former US State Department Cyber Coordinator 

Bart Preneel, Professor, KU Leuven 

Brandon J. Pugh, Director and Senior Fellow for Cybersecurity and Emerging Threats, R Street Institute 

Allison Pytlak, Program Lead of the Cyber Program, The Stimson Center 

Damir Rajnovic, Cyber Security Manager, Panasonic and former FIRST Board member 

Costin Raiu, Independent Researcher; MUTE Group Founding Member and Virus Bulletin Advisory Board Member 

Alex Rice, Co-Founder and Chief Technology Officer, HackerOne 

Marietje Schaake, Stanford University Cyber Policy Center, Former Member of the European Parliament 

Max Smeets, Director of the European Cyber Conflict Research Initiative and a Senior Researcher at the Center for Security Studies (CSS) at ETH Zurich 

Rayna Stamboliyska, Chief Executive Officer and Founder, RS Strategy – Mastering Uncertainty 

Fook Hwa Tan, Chief Quality Officer, Northwave 

Jason Turflinger, Managing Director, AmCham Norway 

Kayla Underkoffler, Lead Security Technologist, HackerOne 

Kristen Verderame, Vice President of Global Government Relations, NetApp Professor 

Johanna Weaver, Director of Tech Policy Design Centre, Australian National University 

Bill Woodcock, Executive Director, Packet Clearing House

The letter represents the views of the individuals. The names of organizations are included for identification purposes only.

Press & Media Queries

For more information about the initiative, please contact the CyberPeace Institute at [email protected]

Help us to Achieve Cyber Peace: See our Activities | Donate | Read our News