October 3, 2023 | A group of 56 cybersecurity leaders, including professionals from ESET, Rapid7, the Electronic Frontier Foundation, and Google’s Vint Cerf, have criticized the European Union’s (EU) proposed one-day vulnerability disclosure requirement under the Cyber Resilience Act (CRA). In an open letter, they argue that the CRA’s requirement for software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation could create a tempting target for malicious actors and have a chilling effect on good-faith security researchers. They suggest that disclosing vulnerabilities prematurely may interfere with the coordination and collaboration between software publishers and security researchers.
Read full article
