Dear Jan, Thank you for drafting this letter. Epicentre.works happily signs. One addition I would suggest appended to point 5 is something like:
“Good faith security researchers that follow coordinated vulnerability disclosure standards should be protected from retaliation by the CRA.”
We have that point in the common position and point 5 of this letter is so close to the issue, that it makes sense to reiterate it here. Best, Thomas epicenter.works – for digital rights Thomas Lohninger, Executive Director E-Mail: thomas.lohninger@epicenter.works Telephone: +43 680 123 86 11 <tel:+436801238611> Twitter: @socialhack <https://twitter.com/socialhack> Send an encrypted e-mail using this PGP key: 1B79 2E14 2E31 0E7E 2742 3990 BE16 D613 7FC1 9312 <https://pgp.key-server.io/search/thomas.lohninger@epicenter.works>
On 06.06.2023, at 05:29, Jan Penfrat (EDRi) <jan.penfrat@edri.org> wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/> is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to co-sign it individually if you can by Monday, 12 June at noon.
Please also let me know should you have any major concerns with the draft letter.
Thanks a lot!
Jan
-- JAN PENFRAT SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org/> | Mastodon <https://eupolicy.social/@ilumium> | PGP <https://edri.org/files/pgp-keys/janpenfrat.asc><email-signature-Spring2022.png> <https://edri.org/take-action/edri-gram/> Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>