EU Cyber Resilience Act & Coordinated Vulnerability Disclosure Policy
“It’s important when you buy a product that the product doesn’t have known vulnerabilities. That’s not the case today,” Thierry Breton, EU commissioner for the internal market.
First the personal data (Regulation GDPR 2016/679), then the critical infrastructures (Directive NIS 2016/1148) and now the Internet of Things. These are the three scopes covered by the European legislative power to “address the cyber threat, but also to become a leader in cyber security” according to Ursula von der Leyen, President of the European Commission.
Last 15th September, the Vice-President Margaritis Schinas and Commissioner Thierry Breton presented the proposal of the Cyber Resilience Act: a Regulation to define common European cybersecurity standards for products with digital elements that are placed on the EU internal market. This can be considered as the final element of wider regulatory strategy to protect European citizens and business against cyber-attacks.
The proposed legislation aims to impose new cybersecurity requirements on hardware and software products such as smart toys and fridges and security cameras that are placed on the single market, whether they are produced in the EU or not and throughout their whole lifecycle.
“Insecurity-by-design” as main market failure
The main market bottlenecks addressed by the proposal is the low level of cybersecurity, reflected by “widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them”.
Over the last years, cyber-attacks such as Mirai, WannaCry, NotPetya and SolarWinds have underlined the exploitation of vulnerabilities in digital products attacks. These attacks showed that the successful exploitation of a vulnerability in a single product can paralyse global firms and lead to billions of euros in damages.
While our digital society derives clear benefits from the Internet of Things – for example, lower operating costs, new consumer insights and the possibility of process optimisation – the attack surface of Internet-enabled products continue to increase and as such the urgency of vulnerability disclosure management.
For that specific challenge and to improve transparency on security of hardware and software products, the European regulator has proposed a set of requirements for all internet-connected products in the European single market – regardless of whether they were manufactured here or not – and applies to their entire life cycle.
Among them, Art-10.6 of CRA requires manufacturers to “have appropriate policies and procedures, including coordinated vulnerability disclosure policies […], to process and remediate potential vulnerabilities in the product with digital elements reported from internal or external sources”.
The CVDP as cornerstone of the vulnerability management
Since the founding of YesWeHack, we have been working fiercely to raise awareness of the positive impact of ethical hackers in finding and reporting vulnerabilities and to guarantee a secure and accessible communication channel with well-intentioned security researchers.
Curious about the feedback on the application of our solution from one leading European IoT company? Watch the Parrot YouTube video.
Therefore, we consider the proposed CRA a significant step towards implementing a harmonised pan-European approach to mandate the use of VDP.
In 2019, the Cybersecurity Act which creates a framework for EU certification schemes referred to CVDP as an important tool to support Member States’ efforts to enhance cybersecurity; early this year, the recent update of the Network and Infrastructure Security Directive encourages Member States to design CVDP to facilitate the reporting, detection, and remediation of vulnerabilities.
For sure, the European Union is gradually taking up the subject of CVD and facilitating its broader adoption in the Member States. However, some important topics remain to be further examined and harmonised at European and global levels (e.g., definition of what constitutes illegitimate access to an information system, universal minimum protection for ethical hackers, complement the amendments of the Cybercrime Directive, information sharing with ENISA and Member States…).
YesWeHack is already actively engaged with European partners and customers to foster the dialogue on such critical topics and to make Europe safer and competitive on the global market. In that scenario, the ethical hackers have and will continue to play a fundamental role to our digital life.
Eager to know more about Vulnerability Disclosure Policy? Check out our YouTube video.
Founded in 2015, YesWeHack is a global Bug Bounty & VDP Platform. YesWeHack offers companies an innovative approach to cybersecurity with Bug Bounty (pay-per-vulnerability discovered), connecting more than 40,000 cybersecurity experts (ethical hackers) across 170 countries with organisations to secure their exposed scopes and reporting vulnerabilities in their websites, mobile apps, infrastructure and connected devices.
YesWeHack runs private (invitation based only) programs and public programs for hundreds of organisations worldwide in compliance with the strictest European regulations.
In addition to the Bug Bounty platform, YesWeHack also offers: a creation and management solution for Vulnerability Disclosure Policy (VDP), a Pentest Management Platform, a learning platform for ethical hackers called Dojo and a training platform for educational institutions, YesWeHackEDU.
More info: www.yeswehack.com
Want to speak about VDP with our team?