Skip to main content


By 04.10.2023No Comments

03.10.2023 |

In a new open letter, cybersecurity experts are calling for changes to the Cyber Resilience Act’s vulnerability disclosure requirements


European authorities are being urged to reconsider the vulnerability disclosure requirements outlined in the Cyber Resilience Act (CRA) by cybersecurity experts. In an open letter signed by professionals from over 50 organizations, the experts argue that certain aspects of Article 11 will create new threats and undermine the security of digital products and users. The provisions, proposed by the European Commission last September, aim to introduce common cybersecurity requirements across the European Union (EU), including mandatory security patches and addressing vulnerabilities in IoT products. The intention is to enhance transparency, accountability, and consumer protection.

Under the new rules, organizations must disclose software vulnerabilities to government agencies within 24 hours of exploitation. This will lead to the creation of a real-time vulnerability database that includes all unpatched security flaws. However, cybersecurity experts argue that this information could place unnecessary risks on consumers and companies. They assert that consolidating all current vulnerabilities in one place may increase threats to organizations. Rushing the disclosure process may result in failed patches and additional pressure on security experts and software vendors.

The open letter highlights concerns that dozens of government agencies will have real-time access to comprehensive vulnerability databases, making them a tempting target for malicious actors. Rushing the disclosure process and widely disseminating information about vulnerabilities could disadvantage organizations and create opportunities for hackers. The experts suggest changes to Article 11, such as considering the significance of the vulnerability and the possibility of exploitation by cybercriminals. They recommend a risk-based approach and a mandatory reporting requirement of 72 hours of “effective mitigation” to minimize the risk of exploitation.

Cybersecurity experts also express concern about the impact of the disclosure requirements on collaboration between software vendors and researchers. The current form of the requirements fails to account for the time required to verify, test, and fix vulnerabilities before they are publicly disclosed. This could disrupt coordination and collaboration, ultimately impeding cybersecurity efforts.

This is not the first time these concerns have been raised. Similar issues were highlighted in a previous open letter by digital rights organizations in June, as well as in a joint statement by cybersecurity organizations. These previous calls for consideration emphasize the potential misuse of information that is widely disseminated.

In conclusion, cybersecurity experts are urging European authorities to reassess the vulnerability disclosure requirements in the Cyber Resilience Act. They believe that the current provisions pose new threats and undermine digital security. The experts propose changes such as a risk-based approach and a longer timeframe for disclosure to ensure a responsible and coordinated process. Concerns have also been raised about the impact on collaboration between software vendors and researchers, as well as the potential misuse of widely disseminated vulnerability information.



Target audience

Digital skills for the workforce

Digital technology