Thanks a lot for your input. I have no issues removing the "classified"
requirement, your paper is very helpful in this regard.
That is simply removing a sentence though and you also mention that you
think the letter needs "radical rewrite" -- can you elaborate what else
you think should be changed based on EDRi's CRA position and maybe help
Note: if we want to influence the negotiations, we would need to send
the letter tomorrow or Wednesday the very latest.
On 06/06/2023 22:20, Ross Anderson wrote:
I don't think it's sensible to demand that information about
unmitigated vulnerabilities be classified SECRET and not shared.
We've been saying for some years that it's wrong for the national
security establishment to hoard this information. If a vulnerability
gets disclosed in a car, for example, it will have to be shared with
the vehicle OEM and with the maintainer of the affected subsystem. The
information about breaches and exploits may have to be shared with
insurers and the local traffic police.
Sure, the US system privileges CERT and the NSA has an inside track on
that. Sure, that gives them some zero-days, and maybe ENISA or Europol
wants to catch up. But CERT also provides the infrastructure for
coordinated disclosure, for example when a new vulnerability in a
shared resource like Linux affects dozens to thousands of firms. See
It's also counterproductive to say that firms should be able to
withhold disclosure from government agencies. The big role played by
the state in the coordinated disclosure ecosystem is in providing a
liability shield for researchers. If I disclose a vuln to Barclays
Bank, I get a nastygram from their lawyers, and it costs me money to
apologise and promise to keep it quiet forever. But if I disclose it
to the European Central Bank, they then disclose it to Visa who
disclose it to Barclays, which does not dare to complain. Similarly,
if I find a vuln in Volkswagen I'm going to tell TUV first, and if I
find a vuln in iOS I'll tell CERT plus perhaps Citizen Labs as they
will see to it that Apple actually fixes it.
I think this letter needs a radical rewrite.
On 06/06/2023, Jan Penfrat (EDRi)<jan.penfrat(a)edri.org> wrote:
> Dear EDRis,
> Thank you for allowing me to cross-post this so everyone has seen it:
> While the overall work on the Cyber Resilience Act
> is going rather well (as compared to other legislative dossiers I
> assume), one of the problems that still persists: The EP wants to compel
> manufacturers of connected devices to notify the EU's Agency for
> Cybersecurity ENISA
> about details of unpatched security vulnerabilities.
> Given EU member states' track record of state-sanctions hacking, we
> believe it's a bad idea to create government-run databases full of
> zero-day exploits.
> I have therefore drafted an open letter to lawmakers working on the CRA
> <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem
> and would like to kindly ask you to *co-sign it individually if you can
> _by Monday, 12 June at noon_*.
> Please also let me know should you have any major concerns with the
> draft letter.
> Thanks a lot!
> JAN PENFRAT
> SENIOR POLICY ADVISOR
> EUROPEAN DIGITAL RIGHTS
> Rue Belliard 12, B-1040 Brussels
> Matrix: @jan:penfrat.net
> Phone: +32 2 274 25 76
> <https://eupolicy.social/@ilumium>| PGP
> Subscribe to the EDRi-gram to become a digital rights connoisseur!
> Subscribe to the EDRi-gram.<https://edri.org/take-action/edri-gram/>
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Phone: +32 2 274 25 76
Subscribe to the EDRi-gram to become a digital rights connoisseur!
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>