President and CEO of Developers Alliance, Bruce Gustafson, has co-signed a joint letter with industry experts calling the EU lawmakers to reconsider the vulnerability disclosure requirements under the proposed EU Cyber Resilience Act (CRA).
Article 11 of the CRA requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation.
This raises serious risks such as:
- misuse for intelligence and surveillance
- exposure to malicious actors
- a chilling effect on good-faith researchers.
The cybersecurity experts recommend that Article 11, paragraph 1, be either removed in its entirety or revised to address the issues mentioned above.
The letter can be read here.
The following quote can be attributed to Bruce Gustafson, President and CEO of Developers Alliance:
“Putting up a billboard saying the locks are broken on your neighbor’s front door isn’t a smart security practice. The software community has developed a robust and time-tested procedure for reporting and acting on product security issues; at its core it provides a critical window for creating and propagating a fix before making a weakness public and inviting bad actors to exploit it. The fact that the experts with the most knowledge are all warning against this policy change should be warning enough for lawmakers to avoid a mistake that puts the public at risk.“
About The Developers Alliance
The Developers Alliance is the world’s leading advocate for software developers and the companies invested in their success. Alliance members include industry leaders in consumer, enterprise, industrial, and emerging software development, and a global network of more than 75,000 developers.
Head of Marketing and Communications