How to improve software vulnerability disclosure in Europe
As software gets embedded in more and more things we use every day, the problem of software vulnerability reporting and patching rises in importance. Unfortunately, only a few European countries have put vulnerability disclosure processes in place.
CEPS, a think tank and forum for debate on EU affairs, has delved in the problematics, listened to industry experts, academics, representatives of EU and international institutions and civil society, and has come up with recommendations on how to improve software vulnerability disclosure in Europe.
The think tank’s extensive report can be reviewed here, but the gist of it is as follows: there needs to be legal clarity regarding software vulnerability discovery and disclosure, an effective policy framework for implementing coordinated vulnerability disclosure in Europe, and government disclosure decision processes have to be set up.
CEPS’ recommendations
“Researchers involved in vulnerability discovery are often exposed to criminal or civil liability. The legal liability and responsibilities of security researchers should be fully clarified to enable them to continue their work without fear of prosecution,” the authors of the report advise. Incentives (whether monetary or not) for security researchers should also be offered.
“Amend Directive 2013/40/EU on attacks against information systems (the EU cybercrime Directive) to allow the smooth and rapid development of coordinated vulnerability disclosure (CVD). In transposing the NIS Directive, particularly its Article 14, member states may explicitly consider including CVD as one of the technical and organisational measures,” they added.
And, if the Cybersecurity Act proposed in October 2017 is passed, the European Network and Information Security Agency (ENISA) will be able to contribute to the development of CVD in the EU, the authors noted.
The agency can help write EU-wide guidelines for the reporting process, set up a web portal for researchers so they can disclose vulnerabilities anonymously, and help coordinate cooperation between national and international actors. It can also create a team of white-hats that would help EU member states and operators of essential services to mitigate software vulnerabilities.
Again, if the Cybersecurity Act is passed, CVD might be included in the proposed European Cybersecurity Certification Scheme.
All that’s on the EU level. The various EU member states should amend their national legislation to encourage CVD and should work on implementing transparent government disclosure decisions processes (GDDP) to coordinate the disclosure of vulnerabilities they discover or are informed about.
Among the best practices for the latter, CEPS advises for non-disclosure agreements with contractors, resellers or security researchers to be prohibited and for vulnerabilities to be disclosed immediately to the affected vendors so they can be patched as soon as possible.
“Where the vulnerabilities potentially affect the safety of regulated products (such as cars, medical devices or railway signals), the relevant RU safety and standards bodies should be involved in the GDDP,” the think tank notes.