Hi Walter,
Thanks for proposing this and sorry I only can write back now due to
some off-time last week.
In our position paper we point at a typical disclosure period of 90
days, so maybe we can try keeping the letter text compatible with that?
Also, looking at Ross' comments on the members list it seems that the
disclosure issue is more contentious than expected. If possible I would
therefore suggest not add a new requirements this time and stay close to
the EDRi position, would that be OK?
The current wording is "3. Provide time to mitigate. In the absence of
user harm or a substantial incident, organisations should have a
reasonable time to remediate or address the vulnerability before
requiring disclosure to governments. A typical standard period for the
mitigation of known vulnerabilities is 90 days."
Would Vrijschrift be interested in co-signing?
Thanks a lot!
Jan
On 07/06/2023 12:55, Walter van Holst wrote:
On 06-06-2023 13:29, Jan Penfrat (EDRi) wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I
assume), one of the problems that still persists: The EP wants to
compel manufacturers of connected devices to notify the EU's Agency
for Cybersecurity ENISA
<https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity>
about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we
believe it's a bad idea to create government-run databases full of
zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the
CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that
problem and would like to kindly ask you to *co-sign it individually
if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the
draft letter.
Hi Jan,
I would add a 6th requirement:
Provide for transparency and require publication of vulnerabilities
shared with ENISA within six months upon receipt by ENISA.
Regards,
Walter
_______________________________________________
Edri-cra-discussion mailing list -- edri-cra-discussion(a)mailman.edri.org
To unsubscribe send an email to
edri-cra-discussion-leave(a)mailman.edri.org
--
JAN PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur!
<https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>