Dear Jan, 

Thank you for drafting this letter. Epicentre.works happily signs. 

One addition I would suggest appended to point 5 is something like: 
“Good faith security researchers that follow coordinated vulnerability disclosure standards should be protected from retaliation by the CRA.”

We have that point in the common position and point 5 of this letter is so close to the issue, that it makes sense to reiterate it here. 

Best, 
Thomas 


epicenter.works – for digital rights
Thomas Lohninger, Executive Director

E-Mail: thomas.lohninger@epicenter.works
Telephone: +43 680 123 86 11
Twitter: @socialhack

Send an encrypted e-mail using this PGP key:
1B79 2E14 2E31 0E7E 2742 3990 BE16 D613 7FC1 9312


On 06.06.2023, at 05:29, Jan Penfrat (EDRi) <jan.penfrat@edri.org> wrote:

Dear EDRis,

Thank you for allowing me to cross-post this so everyone has seen it:

While the overall work on the Cyber Resilience Act is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA about details of unpatched security vulnerabilities.

Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.

I have therefore drafted an open letter to lawmakers working on the CRA to fix that problem and would like to kindly ask you to co-sign it individually if you can by Monday, 12 June at noon.

Please also let me know should you have any major concerns with the draft letter.

Thanks a lot!

Jan

--

JAN PENFRAT
SENIOR POLICY ADVISOR

EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76

www.edri.org | Mastodon | PGP

<email-signature-Spring2022.png>

Subscribe to the EDRi-gram.