CEPS Task Force on Software Vulnerability Disclosure in Europe

CEPS recently launched a new Task Force on Software Vulnerability Disclosure (SVD) in Europe, which is now looking at ways to devise guidelines for governments and businesses to harmonise the process of handling SVD throughout Europe. At the second meeting on November 29th, presentations were made by new players from the private sector and the EU institutions and the computer emergency response teams (CERTs) from Latvia and Japan.

Among the items discussed at the meeting were the following:

  • A preliminary mapping of the Coordinated Vulnerability Disclosure (CVD) models currently in use in Europe. It shows that only a few member states have such a process in place, suggesting the need for a unified approach.
  • Current legal constraints in the implementation of CVD in Europe. The concerns are related to the relationship of CVD to criminal law and the treatment of hacking as a criminal offence. The Task Force decided to suggest and analyse potential vehicles to approach and overcome these constraints.
  • The Dutch model on CVD and its possible extension to other member states. Its success is based on the creation of a space for researchers and organisations with limited presence of the government.
  • Potential role that ENISA and the CERTs could play in this context.
  • Next steps to promote effective communication of the activities and results of the Task Force.