Responsible Vulnerability Handling: Focusing on Patched Vulnerabilities for Enhanced Cybersecurity

The proper handling of vulnerabilities is essential for maintaining the security and integrity of digital products. Identifying security weaknesses allows manufacturers to promptly address and resolve them. However, extending vulnerability reporting to include “unpatched” vulnerabilities, as proposed in the Cyber Resilience Act, would have a detrimental impact on collective cybersecurity rather than enhancing it.As a diverse coalition of national, European, and international associations across various sectors, we urge the European Parliament and Council to reconsider these obligations and instead prioritize the reporting of patched vulnerabilities that have been actively exploited and pose significant cybersecurity risks. Similar to the approach taken with “cyber threats” under the NIS2 Directive, manufacturers should communicate, especially in a business-to-business context, any necessary measures or remedies to potentially affected users in response to significant vulnerabilities.Reporting unpatched vulnerabilities can expose products to further cyberattacks. Moreover, accumulating such sensitive data, whether by ENISA or national authorities, poses a cybersecurity risk in itself and may attract malicious actors from around the world. Consequently, no other likeminded country has adopted such measures. Established coordinated vulnerability disclosure standards emphasize that vulnerabilities should only be disclosed when mitigation measures are available.All signatories are prepared to collaborate with the European Parliament and Council, offering insights and perspectives on this matter, as well as other ongoing discussions regarding different articles, to ensure that vulnerabilities are responsibly handled and contribute to strengthening Europe’s cybersecurity protection.