28 Jun 2018

Software Vulnerability Disclosure in Europe

Technology, Policies and Legal Challenges

Lorenzo Pupillo / Afonso Ferreira / Gianluca Varisco

Download Publication


This report puts forward the analysis and recommendations for the design and implementation of a forward-looking policy on software vulnerability disclosure (SVD) in Europe. It is the result of extensive deliberations among the members of a Task Force formed by CEPS in September 2017, including industry experts, representatives of EU and international institutions, academics, civil society organisations and practitioners.

Drawing on current best practices throughout Europe, the US and Japan, the Task Force explored ways to formulate practical guidelines for governments and businesses to harmonise the process of handling SVD throughout Europe. These discussions led to policy recommendations addressed to member states and the EU institutions for the development of an effective policy framework for introducing coordinated vulnerability disclosure (CVD) and government disclosure decision processes (GDDP) in Europe.

Lorenzo Pupillo is Associate Senior Research Fellow at CEPS. Afonso Ferreira is Directeur de Recherche, Centre national de la recherche scientifique (CNRS) and Gianluca Varisco is a Cybersecurity Expert with the Italian Digital Transformation Team. All three authors served as rapporteurs for the Task Force, which was chaired by Marietje Schaake, Member of the European Parliament.