Software vulnerabilities disclosure: The European landscape
Software today is everywhere: in our smartphones, our cars, our offices and our homes. But it has been estimated that the average programme has at least 14 separate points of vulnerability. Each of these weaknesses could permit an attacker to compromise the integrity of the product and potentially make an illicit entry. With the development of the Internet of Things, the attack surface is becoming broader and the impact of vulnerabilities will be even greater, increasing the risks to critical infrastructure. ‘Vulnerability disclosure’ is the process by which someone shares information about a security vulnerability so that it can be mitigated or fixed. Particularly critical are the zero-day vulnerabilities, which are undisclosed software vulnerabilities that hackers can exploit to adversely affect computer programmes, data, additional computers or a network – and for which patches or mitigation do not yet exist. The importance of introducing a Coordinated Vulnerability Disclosure (CVD) process in Europe, by which finders share vulnerability information with vendors and stakeholders focus on ways to protect users, was at the centre of discussion at a CEPS cyber workshop on June 23rd in Brussels. The Dutch government is leading the way with a Coordinated Vulnerability Disclosure Initiative. ENISA – the European Union’s Agency for Network and Information Security – could also play a key role in this process. But there is quite a bit of ground to be covered especially for the role that governments should play when it comes to the dilemma between disclosing zero-day vulnerabilities or retaining them for intelligence purposes. Only recently in the US has the government created a Vulnerability Equity Process (VEP), which focuses on explaining how the government determines whether to release or retain zero-day vulnerability. Participants at the event called upon the EU to outline in its forthcoming revised Cybersecurity Strategy specific principles for Member States to follow in developing a European Vulnerability Equity Process with a clear priority given to reporting vulnerabilities to vendors.