Formed in autumn 2017, the CEPS Task Force on Software Vulnerability Disclosure in Europe has worked on defining guidelines to harmonize the process of Coordinated Vulnerability Disclosure (CVD) in Europe and formulating specific principles to guide member states in the development of a European vulnerability equity process (VEP).
On the 28th of June the Task Force released the final report.
Task Force Activities
CEPS, as part of the Cybersecurity@CEPS Initiative, launches a Task Force on “Software Vulnerability Disclosure in Europe”, 27 September 2017.
For decades, the issue of SW vulnerability disclosure has been the subject of a lively debate in the information security arena. Recent events, however, have created a new sense of urgency on this issue. The ransomware attacks from Wannacry took advantage of a vulnerability in Microsoft software discovered by the National Security Agency (NSA) and leaked by a group of hackers called Shadow Brokers. Such incidents raise the attention on the widespread activity of stockpiling vulnerabilities by national intelligence agencies around the world. Moreover, with the development of the Internet of Things and billions of devices connected to the internet, the attack surface is becoming broader and the impact of vulnerabilities will be even greater, thereby increasing the risks to critical infrastructure.
The CEPS Task Force on SW Vulnerability Disclosure in Europe will look at key aspects of the debate on this issue with the purpose of defining guideline to harmonize the process of Coordinated Vulnerability Disclosure (CVD) in Europe. The Task force will then outline specific principles for member states for the development of a European vulnerability equity process (VEP) with clear priority given to reporting vulnerabilities to vendors.
Chair: Marietje Schaake, Member of European Parliament
Coordinator and Rapporteur: Lorenzo Pupillo, Associate Senior Research Fellow, CEPS
Rapporteurs
- Afonso Ferreira, Directeur de Recherche CNRS
- Gianluca Varisco, Cybersecurity Expert, Italian Digital Transformation Team
- Antonella Zarra, Research Assistant, CEPS
Meetings:
Kick-off meeting: Wednesday, 27 September 2017 – Download the agenda
- Report 1st meeting
- Presentation of Ross Anderson, Cambridge University
- Presentation of Hielke Bontius, National Cyber Security Center, The Netherlands
- Presentation of Gianluca Varisco, Italian Digital Transformation Team
Date 2nd meeting: 29 November 2017 – Download the Agenda
- Report of the meeting
- Presentation by Gianluca Varisco, Italian Digital Transformation Team (Very Preliminary)
- Presentation by Baiba Kaskina, CERT Latvia & Chair TF-CSIRT
- Presentation by Takayuki Uchiyama, CERT Japan
- Presentation by Andriani Ferti, Karatzas & Partners Law Firm
- Presentation by Jeroen van der Ham, National Cyber Security Centre, The Netherlands
Date 3rd meeting: 31 January 2018 – Download the agenda
CEPS presents preliminary findings at European Parliament roundtable, 27 February 2018
On the 27th of February, the CEPS Task Force on Software Vulnerability Disclosure in Europe has presented its initial findings in a roundtable at the European Parliament. The CEPS Task Force has attempted to define guidelines to harmonize the process of Coordinated Vulnerability Disclosure (CVD) in Europe and attempted to outline specific principles for member states for the development of a European vulnerability equity process (VEP).
Here is the link to the agenda and registration form: https://marietjeschaake.eu/en/software-vulnerability-disclosure-in-europe
We inform you that this event has been web-streamed. Here is the link.
Download the Policy Recommendations reached by the members of the Task Force and presented at the event.
How to join
Download the Prospectus, consult the conditions for participation, fill in application form and return it us.
For further questions, please do not hesitate to contact Lorenzo Pupillo, Associate Senior Research Fellow, CEPS by email at: lorenzo.pupillo@ceps.eu.