Hi Walter,
Thanks for proposing this and sorry I only can write back now due to some off-time last week.
In our position paper we point at a typical disclosure period of 90 days, so maybe we can try keeping the letter text compatible with that? Also, looking at Ross' comments on the members list it seems that the disclosure issue is more contentious than expected. If possible I would therefore suggest not add a new requirements this time and stay close to the EDRi position, would that be OK?
The current wording is "3. Provide time to mitigate. In the absence of user harm or a substantial incident, organisations should have a reasonable time to remediate or address the vulnerability before requiring disclosure to governments. A typical standard period for the mitigation of known vulnerabilities is 90 days."
Would Vrijschrift be interested in co-signing?
Thanks a lot!
Jan
On 06-06-2023 13:29, Jan Penfrat (EDRi) wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/> is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to *co-sign it individually if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the draft letter.
Hi Jan,
I would add a 6th requirement:
Provide for transparency and require publication of vulnerabilities shared with ENISA within six months upon receipt by ENISA.
Regards,
Walter
_______________________________________________
Edri-cra-discussion mailing list -- edri-cra-discussion@mailman.edri.org
To unsubscribe send an email to edri-cra-discussion-leave@mailman.edri.org
JAN
PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN
DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org | Mastodon | PGP