Provisions in the European Union’s proposed Cyber Resilience Act drew more fire from dozens of high-profile cybersecurity and technology advocates. The feedback came in the form of a new open letter signed by heavy hitters from the cybersecurity community, former government officials and members of technology and government think tanks, who took the EU to task for vulnerability disclosure requirements under the CRA as it is written now.

The letter urged EU lawmakers to reconsider Article 11 of the CRA, which requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation.

“This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities, without the ability to leverage them to protect the online environment and simultaneously creating a tempting target for malicious actors,” the letter explained.

This could pose a host of cybersecurity and software logistics nightmares for enterprise software and open source software projects that seed the DevOps software supply chain. First among them, named by the letter, is that it rushes the vulnerability disclosure process and will make it too easy for the bad guys to use this to their advantage.

“Vulnerability disclosure is important; however, the 24-hour disclosure rule is dangerous as the disclosures will serve to arm cybercrime syndicates with a trove of viable [zero]-days,” says Tom Kellermann, SVP of cyber strategy at cybersecurity company Contrast Security and one of the letter’s co-signers. “Getting it right is imperative to build trust between software publishers, governments and corporations.”

According to another co-signer, Christine Bejerasco, chief cybersecurity officer for WithSecure, the provisions of the CRA put undue pressure on enterprises and small organizations who already struggle with prioritizing software fixes.

“If we now start publishing these unpatched, exploited vulnerabilities, it wouldn’t take much to reconstruct them and for the proof-of-concept to be uploaded to a public GitHub repository. It reminds me a bit of EternalBlue and NotPetya in 2017,” Bejerasco said. “Even secure nation-state agencies can be compromised, and even when a vulnerability is already patched, the global cost of the impact could be severe. It took a while to get from full disclosure to responsible disclosure. Let’s not take a step back.”

While not explicitly stated in this latest letter, these vulnerability disclosure requirements could also add strain to the open source ecosystem. Many parties are still figuring out how to navigate vulnerability disclosure and remediation when a zero-day flaw comes to light in the open source software supply chain.   

“The CRA, as written, will impact open source software and modern DevOps development practices,” warned Kellermann.

This recent open letter to the EU about CRA comes on the heels of other criticism in recent months of additional provisions that discourage commercial support of open source software. The Linux Foundation Europe is heading up a movement to #FixTheCRA and dozens of high-profile open source projects, foundations and software development organizations like Mozilla, Python Software Foundation, GitHub and Sonatype have all chimed in about the chilling effects the CRA will have on software supply chain innovation and functionality.

“The need for yet another open letter to the commission should be a warning to EU leaders about the flaws at the heart of the CRA and the unrest it is causing,” said Amanda Brock, CEO of OpenUK, of the recent open letter. “The language in the CRA remains hugely problematic, with Recital 10 stating that open source software developed or supplied outside the course of commercial activity should not be covered by this regulation, but it appears to still apply to developers contributing to open source software in the course of their employment. In so doing, it also leaves the open source foundations, which have become the safe, neutral groups, exposed, as the commission has been clear that although these are non-profits, they should be regarded as commercial entities.”

Brock predicted that if the CRA is implemented in its current form, the software development world could expect to see some projects avoiding liability by blocking access to their code and repos from European locations.

“This just cannot be a good position for any country that wants to be recognized as a digital hub or a force for software innovation,” Brock said.