"EU Urged to Reconsider Cyber Resilience Act's Bug Reporting Within 24 Hours"

Security professionals and researchers from ESET, Rapid7, the Electronic Frontier Foundation (EFF), and more, have expressed concerns over the European Union (EU) requiring software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. Fifty-six cybersecurity leaders noted in an open letter to the EU that the EU's proposed one-day vulnerability disclosure requirement under the Cyber Resilience Act (CRA) would give dozens of government agencies access to a real-time database of software with unpatched vulnerabilities without the ability to secure them. According to the letter, this would create an enticing target for malicious actors, who could exploit the database for intelligence and significantly affect security researchers. The open letter emphasized that prematurely disclosing vulnerabilities may interfere with the coordination and collaboration between software publishers and security researchers, who require additional time to verify, test, and patch vulnerabilities before making them public. This article continues to discuss the EU being urged to reconsider its proposed 24-hour breach notification rule. 

SC Media reports "EU Urged to Reconsider Cyber Resilience Act's Bug Reporting Within 24 Hours"

Submitted by grigby1