A step forward for government vulnerability disclosure in Europe

We’ve argued for many years that governments should implement transparent processes to review and disclose the vulnerabilities that they learn about. Such processeses are essential for the cybersecurity of citizens, businesses, and indeed governments themselves. To advance policy discourse on this issue in Europe, we recently participated in the Centre of European Policy Studies (CEPS) Taskforce on Software Vulnerability Disclosure. The Taskforce’s final report was published this week and makes a strong case for the need for government vulnerability disclosure policies, and comes at a critical juncture as European policymakers debate the EU Cybersecurity Act.

As the developer of a browser used by hundreds of millions of people every day, it is essential for us that vulnerabilities in our software are quickly identified and patched. Simply put, the safety and security of our users depend on it. The disclosure of such vulnerabilities (and the processes that underpin it) is particularly important with respect to governments. Governments often have unique knowledge of vulnerabilities, and learn about them in many ways: through their own research and development, by purchasing them, through intelligence work, or by reports from third parties. Crucially, governments can face conflicting incentives as to whether to disclose the existence of such vulnerabilities to the vendor immediately, or to delay disclosure in order to support offensive intelligence-gathering and law enforcement activities (so-called government hacking).

The Centre for European Policy Studies (CEPS) report on Software Vulnerability Disclosure in Europe is the product of a broad stakeholder taskforce that included a diverse body of actors such as Airbus, the European Telecom Network Operators Association (ETNO), and the global digital rights advocacy group Access Now. Importantly, it reaffirms the need for European governments to put in place robust, accountable, and transparent government vulnerability disclosure review processes. While the taskforce’s work focused on the disclosure of vulnerabilities acquired by government, it is clear that more policy work is required with respect to the processes underpinning acquisition, exploitation and the operational mechanics of disclosure by governments in Europe.

Unfortunately, most EU governments have not yet implemented vulnerability disclosure review processes, a fact that constitutes a serious concern at a time when the cyber attack surface continues to widen.  Luckily, European Union lawmakers have a unique opportunity to address this issue, and advance the norm that all Member States should have vulnerability disclosure processes. The European Parliament and the EU Council are presently debating the proposed EU Cybersecurity Act, and we reiterate our call to European policymakers use this legislation to give ENISA (the EU Cybersecurity agency) the mandate to assist and advise Member States on the development of policy and practices for government vulnerability disclosure.