Coordinated Vulnerability Disclosure policies in the EU
Vulnerability disclosure has become the focus of attention of cybersecurity experts engaged in strengthening the cybersecurity resilience of the European Union. The valid source of concern comes from the cybersecurity threats looming behind vulnerabilities, as demonstrated by the impact of the Log4Shell vulnerability.
Security researchers and ethical hackers constantly scrutinise ICT systems - both open source and commercial closed source software - to find weaknesses, misconfigurations, software vulnerabilities, etc. A wide range of issues are thus revealed: weak passwords, fundamental cryptographic flaws or deeply nested software bugs.
Identifying vulnerabilities is therefore essential if we want to prevent attackers from exploiting them. It is important to consider that attackers can always develop malware specially designed to exploit vulnerabilities disclosed to the public. Besides the identification itself, vendors can also be reluctant to acknowledge vulnerabilities as their reputation might be damaged as a consequence.
What is CVD?
Coordinated vulnerability disclosure (CVD) is a process by which vulnerabilities finders work together and share information with the relevant stakeholders such as vendors and ICT infrastructure owners.
CVD ensures that software vulnerabilities get disclosed to the public once the vendor has been able to develop a fix, a patch, or has found a different solution.
What are national CVD policies?
National CVD policies are national frameworks of rules and agreements designed to ensure:
researchers contact the right parties to disclose the vulnerability;
vendors can develop a fix or a patch in a timely manner;
researchers get recognition from their work and are protected from prosecution.
What is the situation in the EU?
The report published today maps the national CVD policies in place across the EU, compares the different approaches and, highlights good practices.
The analysis allows a wide disparity to be observed among Member States in relation to their level of CVD policy achievement. At the time the data used in the report was collected, only four Member States had already implemented such a CVD policy, while another four of them were about to do so. The remaining Member States are split into two groups: those currently discussing how to move forward and those who have not yet reached that stage.
What are ENISA’s recommendations to promote CVD?
The main recommendations from the analysis of nineteen EU Member States include:
Amendments to criminal laws and to the Cybercrime Directive to offer legal protection to security researchers involved in vulnerability discovery;
the definition of specific criteria for a clear-cut distinction between “ethical hacking” and “black hats” activities prior to establishing any legal protection for security researchers;
incentives to be developed for security researchers to actively participate in CVD research, either through national or European bug bounty programmes, or through promoting and conducting cybersecurity training.
Apart from the above, additional recommendations are issued in relation to the economic and polical challenges and also address operational and crisis management activities.
The Commission’s proposal for the revision of the Network and Information Security Directive or NIS2 proposal, provides for EU countries to implement a national CVD policy. ENISA will be supporting the EU Member States with the implementation of this provision and will be developing a guideline to help EU Member States establish their national CVD policies.
In addition, ENISA will need to develop and maintain an EU Vulnerability database (EUVDB). The work will complement the already existing international vulnerability databases. ENISA will start discussing the implementation of the database with the European Commission and the EU Member States after the adoption of the NIS2 proposal.
The report builds upon previous work performed by ENISA in the field of vulnerabilities. ENISA issued a report on good practices on vulnerability disclosure in 2016, and the economic impact of vulnerabilites was explored in detail in 2018. In addition, the limitations and opportunities of the vulnerability ecosystem were analysed in the ENISA 2018/2019 State of Vulnerabilities report.